s  world  and  what  we  learn  from  it  page  42 


W?gSSED  TO  KILL 

Warning  signs  for  busy  CSOs 
who  want  to  overcome  the 
pressures  of  their  jobs 
\\  \  V  PAGE  46 


THE  TERMINATOR 

How  to  create  a  safe  and 
dignified  process  for  firing 
employees 
PAGE  36 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


THE  IMPOSSIBLE  SCHEME 

Why  keeping  your  computers 
safe  from  viruses  and  worms 
isn’t  as  easy  as  you  think 

PAGE  53 


Can  U.S.  Customs  and  its  ind 
partners  keeplglobal  shippi 
afloat  and  terror  at  bay? 


Ken  Wheatley, 
VP  of  corporate 
security  for  Sony 
Electronics 


AwiZsnal1^ 


September  2003  $9.00 
www.csoonline.com 


j 

Introducing  fully-integrated 
client  security.  The  Symantec 
revolution  continues. 


The  secure  enterprise  is  here.  Now  the  revolution 
that  began  at  the  gateway  with  Symantec™  Gateway 
Security  has  spread  to  desktops  and  laptops. 
Introducing  Symantec™  Client  Security  the  world's 
first  comprehensive ,  fully-integrated  client  security 
solution.  It  seamlessly  integrates  the  critical 
tools — intrusion  detection ,  client  firewall  and 
virus  protection — into  a  powerful,  cohesive  defense. 
By  working  as  a  unified  system  to  scan  both 
inbound  and  outbound  traffic,  it  allows  you  to  better 
detect,  contain  and  eliminate  complex  blended 
threats  like  Nimda  and  Code  Red.  And  to  help  you 
manage  it  all,  a  centralized  console  lets  you  install, 
configure  and  monitor  all  components  from  a  single 
workstation.  The  revolution  continues.  Join  it  at 
http://ses.symantec.com/CDl  or  call  800  745  6054 
and  well  send  you  our  multimedia  CD,  “ The  Symantec 
Integrated  Security  Solution. " 


Symantec 


I  AM  A  CISCO 
CATALYST  6500. 


I  AM  A  SNARLI 
PACK  OF 
DOBERMANS. 


I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE,  THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVE  THE  POWER  TO  DENY  THOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUT  THREATS  SO  YOU  CAN  STAY  PRODUCTIVE.  I  AM 
MORE  THAN  A  CISCO  CATALYST  6500. 


Cisco  Systems 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


cisco.com/securitynow 


September  2 

V0L.2  N  0 . 9 


Cover  photo  by 
Robert 
Burroughs 


28  cover  story  Sea  Change 

SUPPLY  CHAIN  In  an  effort  to  prevent  terrorists  from  turn¬ 
ing  container  ships  into  weapons,  Customs  is  counting  on 
big  business  to  goad  partners  into  improving  security.  The 
result:  public  and  private  partnerships  that  might  work— or 
fail  completely.  By  Sarah  D.  Scalet 

36  Firing  Line 

STAFFING  A  poorly  handled  employee  termination  can 
create  a  slew  of  security  risks.  That’s  why  CSOs  need  a 
process  for  letting  workers  go.  By  Malcolm  Wheatley 

42  The  Evolution  of  a  Cryptographer 

INTERVIEW  Bruce  Schneier,  who  literally  wrote  the  book  on 
cryptography,  talks  with  Senior  Editor  Scott  Berinato  about 
his  holistic  view  of  security,  both  physical  and  technical. 

46  Stressed  to  Kill 

PERSONAL  MANAGEMENT  Stress  is  a  torture  chamber  that 
can’t  always  be  avoided.  Tortured  most  are  executives  with 
high  accountability  but  low  authority.  Sound  like  anyone 
you  know?  By  Christopher  Koch 


N  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Advisers  62  Index 


COLUMNS 

22  Security  on  the  Move 

SECURITY  COUNSEL  CEO  of  R.J.  Heffernan  Associates, 
Richard  J.  Heffernan,  answers  readers’  questions  about 
securing  information  in  transit. 

24  Wi-Fight  It? 

FLASHPOINT  CSOs  struggling  with  wireless  need  an 
attitude  adjustment.  By  David  H.  Holtzman 

58  Scare  and  Scare  Alike 

CSO  UNDERCOVER  The  DHS  has  been  around  for  more 
than  100  days  now.  Where  do  you  fit  in? 


DEPARTMENTS 

13  Briefing 

Someone  to  watch  over  you;  For  the  love  of  privacy; 

Be  careful  what  you  check  for;  You  snooze,  you  lose; 
Picking  up  the  pieces 

20  Wonk 

The  recording  industry  is  fighting  back.  And  if  your 
employees  download  copyrighted  music  on  your  watch, 
your  company  could  get  caught  in  the  rumble. 

By  Julie  Hanson 

53  Machine  Shop 

Ruling  over  unruly  programs. 

By  Simson  Garfinkel 

TOOLBOX  Getting  creative  with  network  security 

64  Debriefing 

Odd  Jobs 


4  www.csoonline.com  September  2003 


High-speed  Access 

to  High-speed  talent 


... 

Network  Security  Engineers  are  a  phone  call  away. 


To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we’ll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  we’ll  do  it  exactly  when  you  need  it. 

Call  today! 


800.793.5533  roberthalftechnology.com 


ROBERT  HALF® 

TECHNOLOGY 


Information  Technology  Professionals SM 


©  Robert  Half  Technology.  E0E 


A  Robert  Half  International  Company 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


cso 


.com 


Bill  Boni 


Security  Counsel 

This  month,  Bill  Boni, 

CISO  of  Motorola,  will 
be  available  online  to 
answer  your  questions 
about  information  secu¬ 
rity.  Boni  has  spent 
more  than  a  quarter 
century  as  an  information  protection  spe¬ 
cialist.  In  addition  to  holding  security 
positions  in  private  industry,  he  has  also 
been  a  U.S.  counterintelligence  officer, 
federal  agent  and  project  security  officer 
for  the  Star  Wars  missile  defense  system. 
Visit  SECURITY  COUNSEL  to  post  a  ques¬ 
tion.  www.csoonline.com/counsel 

Career  Adviser 

Looking  for  career  advice?  CSO’s  resident 
expert,  Joyce  Brocaglia,  answers  your  ques¬ 
tions  about  senior-level  career  advance¬ 
ment,  change,  education,  strategy  and 
more.  Visit  CAREER  ADVISER  to  post  a 
question,  www.csoonline.com/adviser 

Free  Newsletters 

We’ll  bring  CSO  right  to  your  inbox  every 
month— for  free.  CSO  UPDATE  highlights 
the  most  recent  content  posted  on 


Daily  Dose  of  CSO 

Need  a  daily  fix  of  security  analysis, 
news,  numbers  or  opinions?  Visit 
CSOonline.  Here’s  a  rundown  of  the 
fresh  content  you’ll  find  each  weekday: 

MONDAY 

TALK  BACK  Is  intrusion  detection  a 
dead-end  technology?  Visit  each  week 
to  share  your  opinions  on  this  and  other 
topics,  www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls.  We 
asked,  “Do  you  think  the  solution  to  the 
patch  management  crisis  will  involve...” 
and  you  said,  “doing  less  patching.” 
www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  all  into  one  convenient 
package.  In  a  recent  report,  the  Yankee 
Group  says  the  Web  application  security 
market  will  be  the  hottest  growth  area  in 
the  Internet  security  space  for  2003. 
www.csoonline.com/analyst 

THURSDAY 


CSOonline.  CSO  CAREER  NEWSLETTER 

alerts  you  to  the  latest  security- related  job 
openings  in  our  database,  as  well  as  career 
advice  and  recent  executive  moves. 

www.csoonline.com/newsletters 


METRICS  Did  you  know  that  80  percent 
of  U.S.  handheld  users  store  potentially 
sensitive  business  information  on  their 
portable  devices?  Visit  each  week  for  the 
statistics  that  matter  for  security  profes¬ 
sionals.  www.csoonline.com/metrics 


News  You  Can  Use 

We  scour  the  Web  each  weekday  for  the 
security  headlines  and  stories  you’ll  want  to 
read,  and  we  condense  them  so  that  you’ll 
get  up  to  speed  fast.  You  may  also  dig 
deeper  by  clicking  on  a  link  to  the  full  text 
of  each  article,  www.csoonline.com/news 


FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full  text 
of  bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  activity- 
inside  the  Beltway  and  out. 
www.csoonline.com/politics 


6  www.csoonline.com  September  2003 


PHOTO  BY  JEFF  SCIORTINO 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 
Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Richard  J.  Heffernan,  David  H. 
Holtzman,  Christopher  Koch,  Paul  Roberts, 
Matt  Villano,  Malcolm  Wheatley 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Executive  Web  Editor  Martha  Heller 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Michael 
Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 

N 

CXO\MEDlA  INC. 

Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


j 


INTRODUCING  REALSECURE 
NETWORK  7.0. 


RELEASED  JUST  AHEAD  OF 
EVIL  THREAT  6.8. 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 

and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 
network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector™  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 


RealSecure  Network  7.0 

Unified  protocol  analysis  and  pattern  matching  -  that  works 
Analyzes  95  network  protocols  -  catching  even  unknown  attacks 
Nonstop  protection  at  network  speeds  up  to  IGbps 
Backed  by  X-Force,'  the  world’s  # 1  security  intelligence  team 


INTERNET 

Security 

Systems 


Shark  Attack 


The  Defense  Advanced  Research  Projects  Agency 
(DARPA,  inventor  of,  among  other  things,  the  Internet) 
dropped  some  chum  in  the  political  waters  recently,  and 


a  bunch  of  elected  sharks  (creatures  known  for  their  outsized  appetites  and 
undersized  brains)  quickly  congregated  and  ate  a  hearty  meal.  The  particular 
provocation,  of  course,  was  DARPA’s  plan  to  establish  a  futures  market  that 
would  “trade”  in  a  wide  range  of  geopolitical  atrocities— assassinations,  acts 
of  terrorism,  coups  and  so  forth.  People  would  wager  on  the  likelihood  of 
various  specified  horrors  occurring  and,  so,  intelligent  inferences  could  be 
drawn  from  the  aggregate  flows  of  opinion  around  the  competing  scenarios. 

The  idea  of  wagering  for  profit  on  forms  of  human  tragedy,  being  tailor- 
made  for  self-righteous  umbrage,  whipped  politicians  into  rhetorical  frenzies. 
Once  the  idea  achieved  consensus  status  as  an  example  of  certified  idiocy,  there 
was  lots  of  piling  on.  It  was  obvious,  though,  that  very  little  scrutiny  was  being 
devoted  to  the  actual  design  and  purposes  of  the  program  itself.  As  the  turbu¬ 
lence  subsided,  people  were  applying  the  same  sort  of  critique  to  DARPA  that 
was  once  reserved  for  the  National  Endowment  for  the  Arts,  back  in  the  day 
when  that  group  sometimes  bestowed  generous  funding  on  artists  who  happily 
defiled  established  standards  of  public  decency.  Regarding  DARPA,  the  politi¬ 
cos  vowed  to  take  a  damn  close  look  at  every  penny  the  agency  spends  to  see  if 
more  undiscovered  lunacies  might  be  in  the  works. 

As  it  happens,  though,  DARPA’s  futures  exchange  might  actually  be  a 
good  idea.  Unlike  John  Poindexter’s  other  brainchild,  the  privacy-threatening 
Terrorism  Information  Awareness  program,  this  DARPA  venture  seemed  to 
be  a  way  of  creating  a  potentially  valuable  hive  of  collective  thinking  about  an 
assortment  of  weird,  though  not  implausible,  menaces.  The  absence  of  well- 
synthesized,  high-quality  thought  about  such  scenarios  is  exactly  what  many 


of  the  same  sputtering  senators  and  congressmen 
have  been  railing  about  both  before  and  since  the  July 
release  of  the  report  on  the  9/11  attacks. 

There’s  no  doubt  that  DARPA  proved  to  be  its  own 
worst  enemy  in  this  case.  To  quote  the  estimable 
Thornton  May,  in  his  June  CSO  interview  on  a  much 
different  subject,  “These  guys  couldn’t  sell  water  to  a 
man  on  fire!”  The  very  discovery  of  the  website  on 
which  the  futures  exchange  was  prototyped  seemed 
to  have  caught  its  inventors  flat-footed  and  their 
masters  by  surprise.  Deputy  Secretary  of  Defense 
Paul  Wolfowitz  paused  in  being  raked  over  the  coals 
by  the  Senate  Foreign  Relations  Committee  just  long 
enough  to  disown  the  exchange  as  an  example  of 
“imaginative”  excess.  Once  the  feeding  frenzy  was  in 
full  swing,  no  one  seemed  the  least  bit  interested  in 
defending  the  idea  on  its  merits.  On  the  contrary, 
everyone  wanted  to  run  from  it  as  far  and  as  fast  as 
he  could. 

But  perhaps  the  venture  deserves  some  second 
thoughts.  Despite  the  unsavory  imagery  triggered  by 
a  futures  market  in  outrages,  is  there  really  no  value  in 
inviting  a  group  of  knowledgeable  experts  to  speculate 
on  the  relative  probabilities  of  certain  ghastly  events? 

As  we  fault  the  FBI  and  other  institutions  for  dereliction 
in  putting  the  al-Qaida  pieces  together,  we  shouldn’t 
condemn  quite  so  casually  an  exercise  whose  aim  is  to 
address  those  derelictions. 

-Lew  McCreary 
mccreary@cxo.com 


8  www.csoonline.com  September  2003 


PHOTO  BY  WEBB  CHAPPELL 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 
simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


“Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


4$ 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 


CHRIS  CHRISTIANSEN 

Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software,  IDC 

STEPHEN  E.  CROSS 

Former  Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

DOROTHY  DENNING 

Professor 

Department  of  Defense  Analysis 
Naval  Postgraduate  School 

DANIEL  E.  GEER  JR. 

CTO,  @Stake 

DAVID  M.  HAGER 

Former  Vice  President,  Network  Security 
and  Disaster  Recovery 
Oppenheimer Funds 


JOHN  HARTMANN 

Senior  Director  of  Information  Technology 
The  Home  Depot 

STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO,  Pacific  Life  Insurance 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

JOHN  TRITAK 

Former  Director 

Critical  Infrastructure  Assurance  Office 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 

JAMES  WADE 

CISO,  KeyCorp 
President,  (ISC)2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.  com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham.  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world.  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworid.  Macworld. 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 


*The  advisers'  participation  does  not  imply  an  endorsement  of  the  magazine’s  content  or  opinions. 


company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


“Most  computer  systems  are  brittle: 
When  security  fails,  it  usually  fails 
completely.” 

-BRUCE  SCHNEIER,  FOUNDER  AND  CTO  OF  COUNTERPANE  INTERNET  SECURITY 

(SEE  “THE  EVOLUTION  OF  A  CRYPTOGRAPHER,”  PAGE  42) 


10  www.csoonline.com  September  2003 


PHOTO  BY  STEVE  NIED0RF 


Can  you  find 

every  rogue  device  i 

% 

i 

on  your  network? 

We  can. 


Take  control  of  your  network  perimeter 
using  FreeMap,  a  new  free  service  from  Qualys. 

Register  now  at  freemap.qualys.com. 

Qualys  FreeMap  is  a  web-based  service  that  lets  you  discover  devices,  identify  their  operating 
systems  and  create  a  visual  topology  of  your  entire  network. There's  no  software  to  install  or 
maintain,  making  it  easy  to  identify  and  monitor  all  your  network  entry  points,  including  routers, 
VPN  servers  and  wireless  access  points.  Qualys  FreeMap  also  enables  you  to  query  DNS  records 
so  you  can  identify  obsolete  or  rogue  devices. 

Take  advantage  of  this  valuable  service  before  someone  takes  advantage  of  your  network. 


For  product  information,  call  toll-free  1-800-745-4355.®  2003  Qualys,  Inc.  All  Rights  Reserved. 


In  a  government  sponsored  trial  of 
biometric  security  systems, 

LG  IrisAccess 
outperformed  every 
other  system  tested 

proving  to  be  far  more  accurate.  Far 
faster.  And  over  1000  deployments 
confirm  it. 


LG  IrisAccess™  Iris  Recognition  Systems  provide  unparalleled 
security  for  people  and  property.  The  winner  in  head  to  head  testing. 
Proven  in  over  1000  installations,  worldwide.  LG  IrisAccess  makes 
world-class  security  surprisingly  affordable.  Visit  Igiris.com/report. 
And  see  the  difference  it  can  make  to  your  security. 


#LG 


The  iris  identity  experts. 


LG  IrisAccess  3000 


LG  IrisAccess  is  produced  under  a  technology  license  from  Iridian  Technologies.  Inc.  ©2003  LC  Electronics  USA 


News,  Stats  and  Fast  Facts 

Kathleen  Carr  and  Daintry  Duffy 


CSO  SECURITY  CHECK 


Do  you  think  sending 
spam  should  be  a  felony 
offense? 


Someone 
to  Watch 
Over  You 


CSO  readers  are  clearly  divided  as  to 
whether  sending  spam  should  be  a 
felony  offense.  Just  as  well  then  that 
California  killed  the  first  bill  in  the 
nation  that  would  have  made  it  illegal. 
We  don’t  think  the  issue  will  die  there. 
To  participate  in  CSO  Security  Check 
polls,  visit  www.csoonline.com. 


Which  Part  of  Cryptographic  Epoxy  Token 
Did  You  Not  Understand? 


SURVEILLANCE  Often,  it  doesn’t  take 
much  effort  to  find  a  company  that’s  exploit¬ 
ing  the  events  of  9/11  in  its  products  or  serv¬ 
ices.  And  it  seems  that  there  are  more 
exploits  on  the  horizon. 

Jay  Walker,  founder  ofPriceline.com,  has 
moved  from  the  auction  business  to  the  secu¬ 
rity  business  with  US  HomeGuard,  an  idea 
that  would  pay  ordinary  citizens  $10  an  hour 
to  stare  at  surveillance  video  looking  for  ter¬ 
rorist  activity.  It’s  like  a  neighborhood  watch, 
but  the  neighborhoods  are  vulnerable  spots 
near  critical  infrastructures  where  it  would 
be  suspicious  for  someone  to  wander. 

The  surveillance  would  work  like  this.  A 
spotter  logs  on  and  views  a  surveillance 

photo  sent  via  wire¬ 
less  webcam.  The 
spotter  votes  on  the 


CRYPTOGRAPHY  When 
you’re  this  smart,  who  needs  comput¬ 
ers?  Researchers  at  MIT’s  intriguingly 
named  Center  for  Bits  and  Atoms  have 
created  a  powerful  method  of  encrypt¬ 
ing  data— without  the  help  of  a  single 
laptop. 

The  process  involves  a  token,  about 
the  size  of  a  quarter,  made  from  epoxy 
which  is  manufactured  for  about  a 
cent.  Each  token  contains  a  unique 
constellation  of  miniature  glass 
spheres.  Beam  a  light  (think  supermar¬ 
ket  bar-code  reader)  through  the  token 
and  those  spheres  scatter  the  light  in  a 
unique  “speckle"  pattern.  Convert  that 


speckle  image  into  a  fixed-length  string 
of  bits  and  you  have  a  unique  numeric 
identifier,  according  to  Neil  Gershen- 
feld,  cofounder  and  director  of  the 
center. 

Gershenfeld  says  these  devices 
have  many  potential  uses.  For  exam¬ 
ple,  you  could  affix  a  token  to  a  sealed 
instrument  that  captures  data  from  a 
weapons  program  that  must  report  its 
work  to  an  international  watchdog 
agency.  When  the  agency  comes  call¬ 
ing,  it  runs  the  token  through  a  scanner 
and  can  verify  that  the  instrument  is 
valid  and  has  not  been  tampered  with. 
To  that  end,  the  token  can  be  manufac¬ 


tured  in  such  a  way  that  small  surface 
scratches  and  dirt  don't  affect  the 
authentication  process. 

Gershenfeld  says  each  token  holds 
about  a  terabit  of  data,  making  it  very 
difficult  to  emulate.  Compare  that  with 
standard  credit  card  transactions,  he 
says.  Credit  card  data  is  contained  in  a 
magnetic  stripe,  which  is  easy  to  repli¬ 
cate.  It  may  not  be  long  before  these 
tokens  appear  in  the  real  world.  The 
research  aspect  of  the  project  is  com¬ 
plete,  and  the  idea  has  been  turned 
over  to  MIT's  technology  transfer 
group  for  commercialization. 

-Derek  Slater 


photo: 
yes  if  there’s 
unusual  activity,  no  if  there’s  none,  and  maybe 
if  it’s  unclear.  If  the  spotter  votes  yes,  the 
photo  is  routed  (encrypted)  to  other  spotters 
to  vote.  If  enough  vote  yes,  the  system  alerts 
the  authorities.  It  would  also  send  fake  pho¬ 
tos  with  people  purposefully  added  in.  If  a 
spotter  votes  no  on  such  a  photo,  he  is  sus¬ 
pended  without  pay  for  three  minutes  and 
not  rehired  until  he  correctly  votes  on  several 
more  test  photos. 

Clever?  Sure.  Viable?  Not  so  much.  The 
surveillance  would  only  work  for  remote  sites, 
where  human  activity  is  very  rare.  And  if 
that’s  the  case,  many  experts  believe  motion 
detection  software  is  both  more  economical 
and  more  accurate  than  human 
spotters. 

Then  there’s  the  matter  of 
money.  Walker  proposes  that  the 
companies  being  protected,  and 
the  government,  foot  the  $10  per 
hour  per  spotter  bill.  He  also 
wants  to  sell  the  system  to  the 
government  for  $1  and  then 
charge  an  ongoing  service  fee. 

The  Department  of  Homeland 
Security  hasn’t  seriously  evalu¬ 
ated  the  idea,  and  doesn’t  plan  to, 
but  Walker  is  unphased.  All  he 
needs  now  are  some  citizens  who 
want  to  stare  at  their  computers 
for  10  bucks  an  hour. 

-Scott  Berinato 


September  2003  www.csoonline.com 


ILLUSTRATIONS  BY  LEO  ESPINOSA 


!  -■  , 


For  the  Love  of  Privacy 


GOVERNMENT  The  U.S.  Navy  wants  an  intranet.  To  ensure  that  the 
project  sails  smoothly,  the  Navy  is  soliciting  help  from  private  industry  ven¬ 
dors  to  replace  more  than  1,000  local  networks  with  a  a  single,  secure 
intranet.  The  infrastructure  and  basic  applications  for  the  intranet  will  be 
built  by  subcontractor  EDS.  The  Navy  has  requested  all  the  bells  and  whis¬ 
tles:  modern  applications  that  offer  Web  services,  efficient  storage  solutions 
through  databases  and  consolidation  of  their  30,000  applications. 

The  Navy  has  been  analyzing  its  networks  since  1999  and  recently  deter¬ 
mined  that  it  desperately  needs  to  enhance  security  and  interoperability. 
Networks  throughout  the  Navy  are  now  governed  independently,  with  each 
individual  office  using  applications  purchased  locally.  Integrating  the  systems 
via  an  intranet  dubbed— with  typical  Navy  efficiency— the  Navy  Marine  Corps 
Intranet  (NMCI)  is  the  proposed  solution,  but  officials  do  not  think  they  have 
the  resources  to  build  the  intranet  themselves.  “We  discovered  two  important 
details  during  this  process,”  says  Capt.  Chris  Christopher,  the  deputy  program 
executive  officer  for  NMCI.  “First,  that  shore-based  IT  maintenance  and 
management  is  not  a  core  mission  of  the  Navy,  and  second  we  do  not  have 
the  up-front  capital  required  to  update  our  networks.”  Translation:  The 
Navy  needs  a  hand. 

The  idea  of  outsourcing  is  certainly  not  new  to  the  federal  government, 
but  Christopher  says  that  as  budget’s  tighten,  the  government  has  to  control 
costs.  If  outsourcing  makes  sound  business  sense,  that’s  what  the  Navy 
will  do.  Christopher  says  the  Navy  will  consider  working  with  both  well- 
established  technology  companies  and  small  firms.  In  fact,  the  NMCI 
contract  mandates  that  40  percent  of  the  work  involved  in  building  the 
intranet  must  go  to  small  or  disadvantaged  businesses.  These  days,  that 
clause  could  apply  to  most  of  us.  -Julie  Hanson 


SECURITY  AS  AFTERTHOUGHT 


At  what  stage  does  security  become  involved 
in  the  termination  process  at  your  company? 

Security  is  typically  not  notified 
about  terminations. 


W$f'\  $'vV  f 

_  .  Wm 


What  happens  when  a 

quarter-million  California  state  employees  get 
pissed?  Bills  get  passed. 

Case  in  point:  SB  1386,  which  grew  out  of  the 
high-profile  theft  of  personal  information  from 
California  state  employees.  The  bill  mandates 
that  companies  doing  business  in  California 
must  inform  customers  if  they  believe  their  per¬ 
sonal  information  has  been  stolen.  The  bill  was 
staunchly  opposed  by  a  number  of  industry 
groups,  including  the  Software  &  Information 
Industry  Association  and  the  Information  Tech¬ 
nology  Association  of  America. 

Among  other  things,  the  law  says  that  com¬ 
panies  must  report  to  their  customers  if  they 
have  reason  to  believe  that  personal  informa¬ 
tion  has  been  compromised.  That  standard  is 
nebulous.  It  doesn’t  give  any  indication  of  how 
deep  companies  should  dig  into  their  systems 
to  look  for  security  breaches.  It  also  doesn’t  tell 
them  what  to  do  when  it  isn’t  clear  if  a  breach 
has  occurred.  The  California  bill  says  that  the 
notification  requirement  for  exposed  personal 
information  applies  only  to  unencrypted  per¬ 
sonal  information.  That  makes  data  encryption 
a  “safe  harbor”  for  companies,  says  Dan  Bur¬ 
ton,  senior  vice  president  of  government  affairs 
at  Entrust  Technologies. 

Companies  worried  about  compliance  should 
do  a  risk  assessment  of  their  IT  resources  and 
find  out  which  databases  contain  personal 
identity  information  such  as  first  and  last  name 
and  Social  Security  number.  Those  data  strings 
should  then  be  encrypted,  both  for  storage  and 
transmission,  Burton  says. 

“If  you  do  that,  according  to  [SB  1386],  you 
don’t  have  to  worry  about  [Federal  Trade  Com¬ 
mission]  action,  class  action  lawsuits  or  attor¬ 
neys  general  coming  after  you,”  he  says.  But 
1386  doesn’t  specify  what  level  of  encryption 
must  be  used  or  how  it  should  be  used.  It’s  pre¬ 
sumed  that  this  will  be  worked  out  in  the  courts 
as  data  is  stolen  and  injured  parties  attempt  to 
use  the  law  for  legal  redress. 

While  the  protection  of  personal  data  is  good 
public  policy,  more  work  and,  perhaps,  over- 

•KV/.  •  ■i.JvC  •  '■j  . 

£  reaching  federal  legislation  such  as  that  pro- 

' 

»  posed  by  Calif.  Sen.  Dianne  Feinstein  is  needed 
to  clarify  some  of  the  murky  issues  raised  by 
the  California  law,  experts  say. 

-Paul  Roberts 

fi  ';  •  r'i *i ‘  T  ••y;7vV-  "•  •  •< , 

14  WWW  csoonline.com  September  2003 


During  the  week  a  termination 
takes  place.  The  employee  is 
escorted  out  of  the  building, 
and  access  cards  and  accounts 
are  deactivated. 

To  read  more  about  security  risks  related  to  terminations,  see  “Firing  Line"  on  Page  36. 

SOURCE:  CSO  ONLINE  SECURITY  CHECK  POLL 


When  employees  are 
at  risk  of  termination. 
Employee  activities  are 
monitored  and  audited. 


Only  after  a  termination 
has  taken  place. 


Eliminate  80°/  of  time  spent  resolving  problems 
Solve  50°/  of  downtime  causes 
Empower  higher  IT  productivity 


Tripwire®  reduces  operational  risk  and  ensures  the  security 
and  availability  of  your  networks.  By  immediately  detecting 
and  pinpointing  change,  Tripwire  provides  stretched  IT  staffs 
with  increased  visibility  and  control.  The  result?  A  high  level 
of  security  and  complete  confidence  in  the  integrity  of  IT 
operations  across  the  enterprise. 


Tripwire  is  the  only  way  to  have  1 00%  confidence 
that  systems  remain  uncompromised. 


TDiDUfiDr 

nftnrtfit 


The  Integrity  Assurance  Company. 


FREE  30-day  fully-functional  demo  & 

White  paper  “What’s  Good  for  Operations  is  Good  for  Security”, 

Call  1 -800-TRIPWIRE  (874.7947)  or 
Visit  http://cso.tripwire.com  today! 


A  New  School  of  Thought 

What’s  good  for  security  is  good  for  operations. 


©  Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 


Be  Careful  What  You  Check  For 


SCREENING  Remember  when  you  were  14 
and  got  caught  not  inhaling?  We  know  it  was 
just  a  youthful  indiscretion.  Even  your  parents 
have  forgiven  you.  But  imagine  having  to 
explain  that  indiscretion  to  your  boss.  Well 
you  may  soon  have  to.  Background  checks  are 
increasingly  being  used  to  screen  applicants 
in  both  the  public  and  private  sector. 

But  despite  the  increasing 
prevalence  of  such  checks, 

CSOs  should  tread  carefully 
when  initiating  them, 
says  Norm  Willox,  chief 
privacy  officer  at  Lexis- 
Nexis.  “People  are 
rethinking  how  they 
use  background 
screening,”  he  adds. 

“You  need  to  be 
smarter  about  how  you 
screen  individuals.” 

Background  checks 
have  long  been  used  to 
screen  people  who  work  in 
intelligence  or  on  classified 
government  projects,  but  they 
are  also  now  used  as  a  preemploy¬ 
ment  screening  tool  for  a  range  of  positions, 
including  bank  tellers  and  truck  drivers  haul¬ 
ing  hazardous  waste.  The  growth  of  informa¬ 
tion  technology  has  given  a  whole  new  tier  of 
workers  access  to  sensitive  information  and 
tools,  Willox  says.  “Twenty  years  ago,  very  few 


people  had  access  to  technology,  and  that 
access  was  controlled,”  he  says.  “Today, 
technology  has  become  far  more  accessible, 
and  the  risk  to  companies  has  increased 
accordingly.” 

With  easy  access  to  both  the  corporate  net¬ 
work  and  the  Internet,  disgruntled 
employees  can  transfer 
an  organization’s 
intellectual  prop¬ 
erty  to  com¬ 
petitors. 
“Employers 
want  to 
confirm 
that  they’re 
hiring  who 
they  thought 
they  were  hiring,” 
Willox  says. 

But  laws  such  as  the  Fair 
Credit  Reporting  Act  require 
organizations  to  get  consent 
from  those  who  will  be  screened. 
A  company  that  neglects  to  do  its 
homework  and  understand  its  obliga¬ 
tions  before  instituting  a  background  screen¬ 
ing  program  could  find  itself  in  legal  hot 
water.  And  while  Willox  recommends  some 
kind  of  screening  for  any  new  hire,  different 
levels  of  scrutiny  may  be  called  for,  depending 
on  the  individual’s  level  of  responsibility. 

-Paul  Roberts 


DEPARTMENT  OF  BIG,  SCARY  NUMBERS 


Last  year,  security  costs 
in  commercial  buildings 
climbed  to  56  cents  per 
square  foot,  up  from 
49  cents  in  2001. 


SOURCE:  ‘THE  2003  BUILDING  OWNERS  AND  MANAGERS  ASSOCIATION  EXPERIENCE  EXCHANGE  REPORT."  2001  FIGURE 
BASED  ON  2.303  RESPONSES.  2002  FIGURE  BASED  ON  1.959  RESPONSES. 


You  Snooze,  You  Lose 

REGULATIONS  In  the  strongest 
sign  yet  that  the  government  will,  if 
it  must,  regulate  corporate  security, 
the  Federal  Trade  Commission  is 
cracking  down  on  companies  with 
lax  security  on  their  websites. 

In  its  third  such  case,  the  FTC 
recently  settled  with  clothing  and 
accessory  company  Guess.  Cus¬ 
tomer  data  was  stolen  from  the 
Guess  website,  despite  company 
claims  that  the  personal  data  was 
“stored  in  an  unreadable,  encrypted 
format  at  all  times.”  The  FTC  argued 
that  a  February  SQL  injection  attack, 
in  which  credit  card  numbers  were 
compromised,  proved  this  claim 
was  false.  Instead  of  going  through 
legislation,  Guess  chose  to  sign  a 
consent  agreement. 

The  settlement’s  terms  require 
the  company  to  create  a  compre¬ 
hensive  security  program  and  to 
undergo  an  independent  security 
audit  every  two  years  that  meets  or 
exceeds  the  security  levels  outlined 
in  the  FTC’s  consent  agreement. 

These  security  standards  are  not 
wildly  outrageous.  The  FTC  has  pub¬ 
lished  infosecurity  guidelines  for 
companies  to  follow.  The  guidelines, 
though  broad,  are  the  first  step. 

Two  of  the  key  points  in  the  FTC’s 
existing  guidelines  stipulate  that 
companies  must  protect  against  the 
20  most  common  Internet  vulnera¬ 
bilities,  as  published  by  SANS,  and 
the  10  most  common  application 
vulnerabilities,  as  published  by  the 
Open  Web  Application  Security  Pro¬ 
ject.  (See  “The  Big  Fix"  at 
www.csoonline.com/printlinks .) 
There’s  no  telling  what  company 
the  FTC  will  target  next,  or  when— 
which  might  be  the  point.  The  FTC 
is  hoping  the  mere  threat  of  a  press 
release  with  your  company’s  name 
on  it  will  compel  you  to  act. 

For  a  look  at  the  FTC  security 
guidelines,  go  to  www.ftc.gov/bcp/ 
conline/pubs/buspubs/security.htm. 

-Scott  Berinato 


16 


www.csoonline.com  September  2003 


Take  the  Headache  out  of  HIPAA  Compliance. 


Migrating  your  database  is  a  painful  thought.  NEC  has  a  simple  solution.  Add  a  layer  of  security  to  your  existing  database  and  change  the  way  people 
access  information.  Introducing  the  MobilePro™ Tricryption®  System,  the  only  HIPAA  solution  with  three  levels  of  encryption.  Encrypted  data,  password  keys 
and  the  link  between  the  two  let  you  deliver  a  permission-based  data  access  system,  complete  with  audit  trails  to  see  who  touched  what  data,  and  when. 
The  MobilePro  Tricryption  System  takes  the  biggest  headache  out  of  HIPAA  compliance.*  Get  relief  today! 


+  MobilePro"  Tricryption®  System 


Visit  our  website  at  http://www.necsam.com/MTS1 
or  call  1.888.632.8701  for  more  information 


Becoming  HIPAA  compliant  Involves  many  policies,  procedures,  and  technologies. 

MobilePro  Tricryption  System  is  a  technology  that  helps  you  become  HIPAA  compliant. 

NEC  is  a  registered  trademark,  MobilePro  and  “Empowered  by  Innovation*  are  trademarks  of  NEC  Corporation 
and/or  one  or  more  of  its  subsidiaries.  Tricryption  is  a  registered  trademark  of  ERUCES,  Inc.  All  other  trademarks 
and  registered  trademarks  are  the  property  of  their  respective  owners.  ©2003  NEC  Solutions  (Amenca),  Inc. 

All  Rights  Reserved. 


Empowered  by  Innovation 


Picking  Up 
the  Pieces 


DISASTER  RECOVERY  When  Mother 
Nature  strikes,  the  effects  can  cripple  the 
security  of  an  organization's  IT  department. 
Such  was  the  case  at  Jackson,  Tenn. -based 
Aeneas  Internet  and  Telephone  on  May  4, 
2003— the  night  a  tornado  tore  through  the 
town  and  turned  company  headquarters  into 
a  rubbish  pile.  For  a  few  hours,  all  of  the  cus¬ 
tomer  records  at  the  small  ISP  were  vulnera¬ 
ble  to  theft,  manipulation  and  piracy.  Today, 
nearly  four  months  later,  CIO  and  Operations 
Manager  Josh  Hart  reports  that  all  of  the  data 
is  secure. 

CSO:  Tell  us  what  happened  that  day. 

JOSH  HART:  We  had  been  expecting  the 
tornadoes  for  hours.  My  network  administrator 
called  me  around  2  a.m.  to  tell  me  that  every¬ 
thing  was  in  shambles. 


Josh  Hart,  CIO  of  Aeneas 


1 


How  did  you  secure  the  area? 

We  saw  papers  and  pieces  of  our  computers 
halfway  down  the  street.  There  was  no  way  to 
secure  everything.  We  focused  most  of  our 
energy  on  restoring  service  to  our  [10,000 
Internet  and  2,500  telephone]  customers. 

When  was  service  restored? 

We  had  everything  running  live  again  about 
72  hours  after  the  twister  touched  down. 


When  did  you  consider  the  data  security? 

Right  away.  We  knew  we  had  an  electronic 
tape  backup  of  all  of  our  customer  records. 
We  found  the  tape  on  the  fourth  day  after 
impact,  but  it  was  so  waterlogged  that  we 
couldn’t  extract  anything  off  it.  Only  after  we 
obtained  help  from  a  third-party  vendor  [Min¬ 
neapolis-based  Kroll  OnTrack]  could  we 
extract  data,  and  even  then,  we  got  it  off  hard 
drives  that  we  plucked  from  the  mess. 


This  was  the  only  copy  of  the  database? 

We  had  the  database  mirrored  on  a  few  other 
[hard]  drives,  but  again,  by  the  time  we 
extracted  this  hardware,  the  site  was  crawling 
with  Aeneas  employees.  There  was  no  way 
anybody  who  didn’t  work  for  the  company 
was  walking  off  with  anything. 

How  have  you  enhanced  security  to  prepare 
for  the  next  disaster? 

We’re  scanning  and  electronically  filing 
paperwork.  We  back  these  files  every  night 
and  store  them  offsite,  to  prevent  ourselves 
from  getting  into  a  similar  situation  of 
mission-critical  data  extraction  down  the 
road. 

What  advice  do  you  have  for  companies  build¬ 
ing  disaster  recovery  plans  today? 

Address  the  matter  at  hand,  but  don’t  let  your 
guard  down.  Recovery  is  important,  but  it’s 
important  to  remember  that  you  should  never 
compromise  your  security  practices.  ■ 

-Matt  Villano 


FROM  THE  DEPARTMENT  OF  WE  REALLY  NEED  TO  FIX  THIS 


I  can  track  eveiy  plane 
that  apprpames  the  coast 
of  th^u  mtcd  States, .b^t 
I  cant  track  eveiy  ship. 

-U.s.  SEN.  FRITZ  HOLLINGS  (D-S.C.)  IN  A  STATEMENT  BEFORE 
THE  HOMELAND  SECURITY  SUBCOMMITTEE  ON  MAY  6,  2003. 
For  more  on  security  at  sea,  read  Senior  Writer  Sarah  Scalet’s  story,  “Sea  Change”  on  Page  28. 


18  www.csoonline.com  September  2003 


PHOTO  BY  SHERI  O'NEAL 


Companies  everywhere  are  facing  a  new  kind  of  threat. 
Fortunately,  there’s  a  new  level  of  protection. 


Introducing  Application  Intelligence  only  from  Check  Point 


The  Internet  is  evolving.  So  is  the  technology  that  keeps  it  secure.  Now  Check  Point  introduces 
Application  Intelligence— a  major  breakthrough  in  the  evolution  of  Internet  security  and  a  definitive 
response  to  the  growing  problem  of  application  level  attacks.  With  Application  Intelligence  integrated 
into  Check  Point  FireWall-1  and  Smart  Defense,  your  business-critical  systems  are  safe  from  both 
network  and  application  level  attacks.  By  providing  the  world’s  only  truly  integrated  security  infrastructure, 

Check  Point  centralizes  and  strengthens  your  defense  against  attack  at  every  level,  every  location.  Want 
to  take  Internet  security  to  the  next  level?  Get  the  revealing  new  white  paper  that  tells  you  everything 
you  need  to  know  about  the  latest  cyber  threats,  “Internet  Security  Redefined:  A  new  level  of  integration, 
a  new  level  of  protection.”  at  www.checkpoint.com/appint/cso 


Check  Point' 

SOFTWARE  TECHNOLOGIES  LTO 


©  2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


We  Secure  the  Internet 


31  ill 


wm 


Wm. 


'he  Who,  What  and  Why  of  Washington 


Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


Download  with  Care 

The  recording  industry  is  fighting  back  against  individuals  who 
download  copyrighted  music.  If  your  employees  do  it  on  your  watch, 
your  company  could  get  caught  in  the  rumble.  By  Julie  Hanson 


a. 


!i 


Eg!  ./ 

ft 


a 


HE  RECORDING  INDUSTRY  Asso¬ 
ciation  of  America  (RIAA)  recently  announced 
that  it  will  levy  lawsuits  on  users  who  down¬ 
load  copyrighted  music— and  the  corporations 
whose  networks  are  used  to 
commit  the  crime.  The 
announcement  is  raising  a 
few  questions:  Is  it  wiser  for 
the  IT  department  to  monitor 
systems  and  instill  a  no¬ 
download  policy;  or  is  turn¬ 
ing  a  blind  eye  and  claiming 
that  what  you  don’t  know  you 
can’t  be  liable  for,  the  better 
approach? 

The  recording  industry  is 
blaming  copyright  thieves 
for  decreased  profits  and  is 
threatening  “criminal  sanc¬ 
tions  or  financial  penalties” 
against  companies,  and  their 
directors,  where  corporate  systems  are  used 
for  copyright  theft.  A  letter,  backed  by  music 
and  movie  industry  heavyweights,  was  sent  to 
the  heads  of  Fortune  1000  companies, 
strongly  encouraging  them  to  route  a  memo 
to  employees  explaining  how  copyright  theft 
is  against  company  policy. 

And  the  claim  of  lawsuits  is  by  no  means  a 
bluff.  In  April  2002,  Integrated  Information 
Systems  paid  the  RIAA  a  $1  million  settlement 
after  claims  that  its  employees  were  accessing 
and  distributing  thousands  of  music  files  on  the 
company  server.  In  a  more  current  lawsuit, 
Verizon  is  being  forced  to  give  up  the  names  of 
users  who  have  been  accused  of  downloading 
copyrighted  files. 

David  L.  Sobel,  general  counsel  for  the 
Electronic  Privacy  Information  Center,  says 
it’s  still  early  to  know  whether  the  recording 


v  * 


David  Sobel,  general  counsel  for 
the  Electronic  Privacy  Information 
Center 


industry  will  hold  companies  to  the  fire  along 
with  their  employees.  But  Sobel  argues  that 
any  company  actively  engaged  in  employee 
monitoring  faces  greater  liability.  “If  a  com¬ 
pany  takes  a  hands-off 
approach  and  only  acts  as  a 
conduit,  there  is  less  of  an 
argument  of  liability,”  he 
says.  Of  course,  as  most 
CSOs  know,  not  monitoring 
employee  activity  on  your 
systems  can  open  your  net¬ 
works  to  numerous  vulnera¬ 
bilities. 

Since  companies  are  cur¬ 
rently  held  responsible  for 
employees  who  steal  copy¬ 
righted  software  and  hard¬ 
ware,  Robert  Kruger,  vice 
president  of  enforcement  for 
Business  Software  Alliance, 
doesn’t  see  why  companies  shouldn’t  also  be 
held  responsible  for  employees  who  down¬ 
load  copyrighted  music.  “Companies  have  a 
clear  interest  to  make  sure  that  employees  are 
not  downloading  any  digital  copyrighted 
work,”  says  Kruger. 

Executives  may  take  solace  in  RIAA 
claims  that  they  are  more  interested  in  the 
user  than  the  network  owner,  but  there  is  no 
guarantee  that  they  won’t  come  after  both 
parties.  Whether  network  executives  like  it 
or  not,  it  appears  there  is  one  more  liability 
to  be  concerned  about.  ■ 


To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website. 


www.csoonline.com/wonk 


The  House  Judiciary  Committee  voted 
to  permanently  prohibit  taxing  access  to 
the  Internet  by  extending  a  moratorium 
enacted  by  the  Internet  Tax  Freedom 
Act.  This  act,  which  currently  prohibits 
Internet  taxation,  was  set  to  expire  in 
November  2003— but  with  the  passage 
of  H.R.  49,  a  permanent  ban  has  been 
placed  on  Internet  access  taxation. 

The  Senate  has  approved  the  FY04 
Department  of  Defense  appropria¬ 
tions  bill  (H.R.  2658),  which  includes 
wording  that  would  virtually  halt  fund¬ 
ing  for  the  controversial  Pentagon  Total 
Information  Awareness  (TIA)  program. 
The  bill  says  that  no  funds  appropriated 
to  the  Department  of  Defense  may  be 
used  toward  the  research  and  develop¬ 
ment  of  TIA,  a  program  designed  to 
allow  the  government  to  mine  intelli¬ 
gence  and  personal  data  of  civilians, 
including  credit  card  purchases  and 
medical  and  travel  records. 

The  Senate  Commerce  Committee 
unanimously  approved  E911  legislation 
that  ensures  funding  for  emergency 
services  on  cell  phones.  The  Enhanced 
911  Emergency  Act  of  2003 
(S.  1250)  authorizes  $500  million  per 
year  for  grants  to  enhance  emergency 
communications  services,  including 
the  development  of  the  National 
Telecommunications  and  Information 
Administration  Task  Force,  which  will 
coordinate  emergency  communications 
between  federal,  state  and  local 
systems. 

The  Federal  Communications 
Commission  developed  its  own  office  of 
homeland  security  to  provide  a  24/7 
point  of  contact  for  crisis  management 
and  an  emergency  response  center.  This 
includes  handling  incoming  and  outgoing 
secure  and  nonsecure  national  and  inter¬ 
national  communications  by  phone,  fax 
and  radio,  and  U.S.  Coast  Guard  search 
and  rescue  communications  circuits. 


20  www.csoonline.com  September  2003 


PHOTO  LEFT  BY  DECLAN  MCCULLAGH;  TOP  BY  GETTYONE 


IS  THE  ULTIMATE 


FIREWALL 

(ISC)2-  SECURITY  THAT  TRANSCENDS  TECHNOLOGY5" 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2SM. 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  StandardSM  in  information  security. 


For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 


or  visit 


www.isc2.org 


(ISC) 


CISSP’ 


SSCP’ 


Security  Counsel 


shipped  to  your  event.  Many  organizations  forgo  being 
listed  on  the  electronic  and  printed  event  listings  of  the 
hotels  hosting  conventions.  Since  IP  now  constitutes  a 
large  majority  of  the  value  of  most  corporations,  you 
would  have  a  hard  time  justifying  a  policy  to  external 
auditors  that  relies  on  hiding  in  plain  sight. 


Security  on  the  Move 

Richard  J.  Heffernan,  CEO  of  R.J.  Heffernan  Associates, 
answers  readers’  questions  about  securing  information 
in  transit 


Q:  What  is  involved  in  transporting  intellectual  property  (IP)  from  one  corporate 
site  to  another? 

A:  The  security  practices  required  in  each  situation  are  dictated  in  part  by  the 
business  you  are  in  and  the  risks  you  face.  Planning  for  the  security  of  informa¬ 
tion,  especially  at  offsite  meetings  and  conferences, 
starts  with  understanding  the  value  and  sensitivity  of 
the  information.  Perform  a  risk  assessment  of  each 
situation  that  involves  oral,  written  and  electronic 
information.  That  risk  assessment  will  help  ensure 
that  risk  identification,  evaluation  and  mitigation 
activities,  including  the  selection  of  reasonable  and 
prudent  security  controls,  are  integrated  into  the 
business  process.  ISO  17799  is  the  basis  for  many 
security  controls  and  may  be  used  as  the  core  pro¬ 
gram,  but  you  must  assign  responsibility  to  monitor 
potential  changes  in  contractual  obligations,  regula¬ 
tions  and  laws  such  as  the  Sarbanes-Oxley  Act. 

Q:  When  transporting  IP,  do  people  generally  take  the 
proper  precautions? 

A:  Most  people  take  proper  precautions  only  if  they  are  required  to  or  if  compli¬ 
ance  is  audited.  The  most  common  mistake  is  not  involving  experienced  secu¬ 
rity  personnel  in  the  initial  planning  of  the  offsite  meeting,  conference  or 
corporate  move.  Early  involvement  allows  a  security  practitioner,  who  is  experi¬ 
enced  in  performing  risk  assessments,  to  educate  and  advise  planners  as  to 
issues  that  may  put  sensitive  information  at  risk.  A  CSO  can  then  advise  alter¬ 
native  ways  to  avoid  or  mitigate  the  potential  of  exposing  sensitive  information 
to  loss.  Another  common  mistake  or  oversight  is  to  not  adequately  educate  all 
contractors,  subcontractors,  vendors  and  suppliers  so  that  their  actions  do  not 
put  information  at  risk  of  exposure  to  unauthorized  individuals  or  a  potential 
loss  of  trade  secret  status  because  of  claims  of  inadequate  security. 

Q:  In  certain  cases,  is  it  better  to  follow  the  adage  “security  by  obscurity”?  Mean¬ 
ing,  if  you  don’t  call  attention  to  it,  you  get  lost  in  the  noise. 

A:  It  is  almost  always  advisable  to  maintain  a  low  profile  for  both  personnel  and 
sensitive  information.  One  way  is  to  ensure  that  your  outsourced  printer  does  not 
attach  a  sample  copy  of  sensitive  printed  material  to  the  outside  of  the  boxes 


Q:  How  elaborate  do  your  security  plans  get? 

A:  A  recent  example  of  security  for  an  offsite  meeting 
included  the  usual  preliminary  planning  as  well  as 
awareness  briefings  hosted  by  the  business  unit  manager 
prior  to  leaving  for  the  event.  Upon  arrival  at  the  meeting 
site,  each  attendee  received  instructions  drafted  by  the 
security  department  and  signed  by  the  event  host.  These 
instructions  mandated  that  attendees  bring  all  sensitive 
information  as  well  as  their  laptops  to  be  secured  in  a 
support  center  with  24-hour  security.  Company  security 
personnel  using  unmarked  vans  transported  sensitive 
printed  materials  as  well  as  printers,  fax  machines  and 
computer  networking  equipment  directly  from  the  com¬ 
pany  to  the  support  center.  Company 
security  and  IT  staffers  set  up  secured 
Internet  and  telephone  connectivity 
instead  of  allowing  company  employ¬ 
ees  to  work  in  their  rooms.  Company 
personnel  could  use  meeting  rooms, 
which  had  been  pre-inspected,  as  an 
alternate  to  gathering  in  an  unsecured 
public  area.  The  object  was  to  avoid 
creating  situations  where  sensitive 
information  might  be  at  risk. 

Q:  How  much  time  do  you  spend  plan¬ 
ning  versus  executing? 

A:  An  ever-increasing  percentage  of 
time  is  spent  establishing  and  continuing  a  dialogue 
with  senior  and  business  unit  management  to  identify 
business  goals,  objectives  and  time  lines.  Planning  for 
the  protection  of  sensitive  business  and  scientific  infor¬ 
mation  during  corporate  moves,  at  both  onsite  and  off¬ 
site  meetings  as  well  as  information  shared  externally 
with  partners,  vendors  and  customers,  is  an  important 
part  of  developing  a  security  management  strategy.  A 
continuous  dialogue  will  help  forge  the  understanding 
of  corporate  goals  and  the  development  of  a  security 
management  strategy  that  supports  business  goals.  ■ 


Ask  Your  Peers 


■■ 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to  hear  from? 
Send  your  thoughts  to  Assistant  Managing  Editor  Kathleen  Carr  at 
kcarr@cxo.com.  Go  online  to  see  what  your  peers  are  discussing. 


www.csoonline.com/counsel 


22  www.csoonline.com  September  2003 


PHOTO  BY  JEFF  SHAFFER 


Is  Your  Security  Alert  Service 
Biased  or  Independent? 


My  security  alert  service  provider  is  really 
a  major  security  product  vendor: 

Q  Yes  Q  No 

My  security  alert  service  provider  sells  advertising  and 
certification  services  to  major  security  product  vendors: 

Q  Yes  Q  No 


My  security  alert  service  provider 
is  independent  and  unbiased: 

Q  Yes  Q  No 


No  censorship.  No  delays.  No  sugar  coating. 


tracker 

Keep  Track  of  the  Latest  Vulnerabilities  and  Threats 


1 -8BB-241-3895 
http  [//security tracker,  com/cso 


Wi-Fight  It? 


exploit,  not  anticipating  the  next. 

Wi-Fi  makes  it  harder  to  constrain  intranet  access 
because  physical  proximity  is  all  that  it  takes  to  circum¬ 
vent  a  firewall.  “War-chalks”  on  sidewalks  and  buildings 
showing  the  overlap  area  of  someone’s  network  access 
point  have  become  common  sights.  RFID  tags  may  not 
jeopardize  assets,  but  they  do  provide  insight  into  inven¬ 
tory  if  someone  gets  close  enough  to  scan  them.  The  pres¬ 
ence  of  some  tags  can  give  away  a  secret  ingredient  for  an 
industrial  formula;  an  unexpected  quantity  of  others  may 
indicate  expansion  plans.  Even  the  absence  of  some  items 
may  be  noteworthy. 

It  may  not  take  10  years  for  this  technology  to  reach 
critical  mass;  I’d  guess  it’s  more  like  two  to  three.  Unfor¬ 
tunately,  the  security  mind-set  shift  from  physical  prohi¬ 
bition  to  information  control  will  take  longer  than  that. 

Here  are  some  attitude  changes  for  the  evolving  CSO 
to  consider. 

Presence  is  not  permission.  Don’t  assume  someone 
on  a  network  is  a  legitimate  user 
any  more  than  you  would  believe 
that  walking  through  a  hotel  lobby 
certifies  a  person  as  a  guest. 

The  smaller  the  granularity,  the 
better  the  security.  Packet  and 
transaction  authentication  is  effec¬ 
tive;  stream  and  session  is  not.  Be 
aware  of  every  device  in  an  organi¬ 
zation  that  can  transmit  data,  and 
know  what  could  be  done  with  that 
information  if  it’s  divulged  to  a 
knowledgeable  person. 

Packet-pickers  aren’t  thieves. 
Bandwidth  is  often  seen  as  a  pub¬ 
lic  resource,  and  people  who  would 
blanch  at  the  thought  of  breaking 
into  a  computer  room  wouldn’t 
think  twice  about  jacking  into 
wireless  networks.  Recognize  that 
the  motivation  is  not  the  same  as 
hackers.  Companies  shouldn’t  con¬ 
done  the  practice  but  don’t  need 
to  be  overzealous  about  stopping 
it  either. 

Be  thoughtful,  not  combative 
when  confronted  with  the  rapid 
dissemination  of  wireless  tech¬ 
nologies— it’s  like  quicksand,  struggling  will  only  drag 
you  down  deeper.  ■ 


David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  as  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david^globalpov.com. 


CSOs  struggling  with  wireless  need  an  attitude  adjustment 

By  David  H.  Holtzman 


ECURITY,  LIKE  OTHER  bastions  of  business,  prefers  conflict  to  con¬ 
formance  when  first  faced  with  a  new  technology.  Wi-Fi  is  no  exception.  In  fact, 
wireless  devices  have  received  a  corporate  welcome  every  bit  as  warm  as  the  one 
I  reserve  for  the  long-distance  companies  that  interrupt  my  dinner  to  save  me  a 
nickel.  However,  like  it  or  not,  remote  access  technologies  are  infiltrating  the 
enterprise  and  will  change  the  direction  of  corporate  security. 

Technology  adoption  as  discussed  by  CIOs  and  CFOs  can  sound  methodical  and 
leisurely,  like  a  foursome  chipping 
and  putting  their  way  through  a 
deserted  back  nine  on  a  late  August 
afternoon.  CSOs  know  better.  Trendy 
electronic  gizmos  are  the  ready  golfers 
of  the  workplace,  driving  their  way 
through  the  corporation  and  sinking 
IT  procedures  in  their  wake- 
executive  gifts  the  first  year,  manage¬ 
ment  perks  the  next  and  the  subject  of 
Dilbert  cartoons  thereafter.  This  is 
the  point  where  smart  CSOs  choose  to 
remain  noncombatants.  They  know 
assimilation  is  inevitable,  especially  as 
the  devices  devolve  into  features  inte¬ 
grated  into  other  products  such  as 
Intel’s  Centrino  chip  with  built-in  Wi¬ 
Fi.  Another  embedded  remote  tech¬ 
nology  is  RFID  chips,  which  will 
almost  certainly  replace  bar  codes  for 
inventory  control— providing  a  new 
headache  for  information  security. 

Protecting  network  space,  where 
information  is  distributed  across  mul¬ 
tiple  machines,  is  a  mammoth  task. 

Comprehensive  protection  requires 
validation  of  every  action  and  recur¬ 
ring  authentication  of  each  partici¬ 
pant.  Network  space  will  never  be  safe  because  there  are  too  many  points  of 
access.  Locking  up  a  few  tapes  or  bolting  down  a  computer  room  is  a  manageable 
process,  but  validating  every  piece  of  executing  code  on  a  network  is  not.  Especially 
when  much  of  it  is  provided  by  vendors  and  unaccompanied  by  source  code. 
Sure,  applications  provide  authentication  mechanisms,  but  they  will  never  be 
foolproof.  Like  the  antiviral  programs,  they  will  always  be  reacting  to  the  last 


24  www. csoonlme.com  September  2003 


ILLUSTRATION  BY  KATHERINE  STREETER 


Need  to  comply  with  regulatory  require¬ 
ments  for  data  privacy  and  security? 

Or  meet  internal  business  requirements 
and  policies?  Then  you  need  Entegra. 

Entegra  is  a  comprehensive  data 
integrity  solution  that  helps  your  enter¬ 
prise  address  compliance,  risk,  security, 
and  operations  requirements.  Know 
how  your  data  assets  are  being  used. 
Account  for  who’s  accessed  what  infor¬ 
mation  -  and  what  changes  were  made. 

Find  out  more.  Request  your  free 
white  paper,  "Data  Access 
Accountability  -  Who  Did  What  To 
Your  Data  When?"  by  visiting 

www.lumigent.com/go/cso. 

Or  call  us  at  1  866-LUMIGENT 

(1-866-586-4436). 


Safeguarding  the  integrity  • 
and  availability  of  enterprise  data 


Copyright  ©  2003  Lumigent  Technologies,  Inc.  All  rights 
reserved.  Lumigent,  Entegra  and  the  Lumigent  Logo  are  trade¬ 
marks  or  registered  trademarks  of  Lumigent  Technologies,  Inc. 


If  someone  viewed  your  most  sensitive 
corporate  information,  who  would  know? 


With  Entegra 
you  know. 


f  I 

1  *181 

Sr 

1 1 1  M 

w _ 

-7  ' 


■  ,  ■  ■, 


A 


*  H 


nm 


m 


■ 


t 


mm 


& 


A  port  that  processes  nearly  On@  million  containers 

a  year  can't  afford  to  make  the  wrong  security  choice. 

That's  why  the  Port  of  Oakland  chose  ADT.  We  have  experience  in  large-scale,  integrated  system  solutions  The 
resources  to  provide  expertise  from  the  design  of  a  project  through  to  its  implementation.  And  strategic  relationships 
we  can  leverage  to  create  custom  solutions  for  a  broad  range  of  client  needs.  Drawing  on  these  capabilities,  we  were 
able  to  bring  together  automated  access  control,  video  surveillance,  perimeter  intrusion  detection  and  an  integrated 
communications  infrastructure  into  a  single  comprehensive  system  for  the  port.  A  solution  that  not  only  addresses 
important  Homeland  Security  issues,  but  important  budgetary  ones  as  well. 


i  sod  undef  lo 


The  maritime  security 
enhancement  project  with 
the  Port  of  Oakland  is  one  of  the 
largest  grants  awarded  by  the 
federal  Transportation  Security 
Administration  to  date. 


"This  provides  us  an  exciting  opportunity  to  harness  ADT's  renowned  experience 
and  expertise  and  the  latest  technologies  available  to  deliver  a  superior  integrated  security 

operation  at  our  maritime  terminals."  Tay  Yoshitani  -  Executive  Director,  Port  of  Oakland 


Homeland  Security  is  not  exactly  new  to  us.  ADT  has 

been  providing  solutions  for  the  emerging  needs  of  businesses 
and  government  agencies  for  nearly  1 30  years.  By  making 
it  a  point  to  fully  understand  our  clients'  industries  and 
their  unique  place  within  them,  we've  been  able  to  help 
these  clients  plan  and  prepare  for  changing  times.  This 
approach  is  more  valuable  now  than  ever.  And  it’s  one  of 
the  reasons  we  are  involved  with  so  many  institutions 
affected  by  Homeland  Security  issues.  We  currently  work 
with  a  number  of  federal  agencies,  more  than  seventy  of 
our  nation's  airports,  and  many  of  our  country's  largest 
utilities  and  financial  institutions. 

Your  responsibilities  are  critical.  So  is  your  choice  for 
security.  ADT  has  one  of  the  nation's  largest  networks  of 
dedicated  security  professionals.  Resources  designed  to 


ADT  is  involved  in  an 
innovative  container 
security  project  that's 
using  the  latest  in 
satellite  technology  to 
help  monitor  products 
from  point  of  origin 
to  final  destination. 

handle  projects  of  almost  any  size  and  scope.  And  integrated 
system  solutions  that  have  already  been  proven  successful  in 
other  large-scale  projects.  So  we  understand  the  issues  you're 
facing  and  are  fully  prepared  to  help  you  address  them. 
Learn  more  at  www.ADT.com,  or  arrange  a  consultation  with 
one  of  our  experienced  integration  experts.  And  know  that  as 
you  head  into  this  new  environment,  you  don’t  have  to  go 
it  alone.  ADT.  Always  There. 


JD 

O 


o 

o 

3 


3 

CD 

T 

GO 


T3 

■g 

d’ 

CO 


0) 

D 

r-t 

co 

-< 

cn 


T) 

O 


a 

CD 

T3 

a> 

3 

CD 

13 


o 

CD 

— 

CD 

D 

(s> 

0 


D* 

0) 

D 

O 

a/ 

ET 

(/) 


O 

D 

C/3 


0 

C/) 


O 


o 

fl) 


Q> 

0 

r—f 

c 

o 

c 
— 1 
CD 

I 

O 

3 

2L 

03 

3 

CL 

C/5 

CD 

O 

c 


C/5 

O 

c 


o 

3 

to 


tl/CO 


/  Fire  & 

/  Security 


Cover  Story 


In  an  effort  to  prevent  terrorists  from  turning  container  ships 
into  weapons,  Customs  is  counting  on  big  business  to  goad 
partners  into  improving  security.  The  result:  a  case  study  for 
how  the  government’s  much  touted  public  and  private 
partnerships  might  work— or  fail  completely. 

By  Sarah  D.  Scalet 


FACTORIES  NEED  FENCES.  EIGHT-FOOT— MAYBE  lO-FOOT— 

fences.  Barbed  wire.  Imposing  structures  that  not  only  mark  a  boundary  but  also  keep 
intruders  out  and  goods  in. 

At  least  that’s  what  Ken  Wheatley  had  always  assumed.  That  is,  until  he  went  on  a 
whirlwind  three-week  tour  of  Asia  in  September  2002.  As  vice  president  of  corporate  secu¬ 
rity  for  Sony  Electronics  and  a  participant  in  a  volunteer  security  program  created  by  the 
U.S.  Bureau  of  Customs  and  Border  Protection,  Wheatley  helped  conduct  vulnerability 

inspections  at  a  half  dozen  of  Sony’s  largest  facilities 
shipping  goods  to  the  United  States.  Traveling  with  a 
six-person  team  from  Japan  to  Malaysia  to  Singapore, 
Wheatley  discovered  that  even  things  as  seemingly 
straightforward  as  fences  often  lose  something  in 
translation. 

He  puzzled,  for  instance,  over  the  kid-size  boundary 
markers  at  some  of  the  Asian  manufacturing  facilities 
of  Sony  Electronics  (a  U.S.-based  division  of  Japan’s  Sony  Corp.).  “Depending  on  the  coun¬ 
try',  a  really  obtrusive  fence  communicates  something  negative  to  the  community,”  says 
Wheatley.  “If  I  pointed  out  to  local  employees  in  an  area  with  little  crime  that  someone 


IN  THIS  STORY:  Why  the  global  shipping 
industry  is  at  risk  ■  How  the  U.S.  Bureau  of 
Customs  and  Border  Protection  is  trying  to 
persuade  businesses  to  improve  their  secu¬ 
rity  ■  What  your  peers  are  doing  to  comply 
with  new  supply  chain  security  guidelines 


www.csoonline.com  September  2003 


PHOTO  BY  ROBERT  BURROUGHS 


'•  ... 


itpWHiijiUMa 


"-•W.  •  .  •-■  in 

Sony’s  Ken 
Wheatley 
says  security 
is  not  a  U.S. 
problem:  “It’s 
a  matter  of 
sensitizing 
leople  to  the 
,ct  that 


global 
economy.” 

r-ih: 


Cover  Story  |  Supply  Chain 


could  easily  climb  over  a  3-foot  fence,  they’d 
ask,  Why  would  someone  do  that?”  And  then 
they'd  wonder  why  the  U.S.  government  was 
trying  to  impose  its  will  upon  them. 

The  Customs-Trade  Partnership  Against 
Terrorism,  or  C-TPAT,  sets  parameters  for 
how  member  companies  should  protect  cargo 
they  import  from  being  infiltrated  by  terror¬ 
ists  and  used  as  a  weapon  of  mass  destruc¬ 
tion— a  scenario  that  many  experts  view  as 
the  nation’s  biggest  vulnerability.  The  guide¬ 
lines  start  with  the  kind  of  fence  that  sur¬ 
rounds  a  company’s  manufacturing  facility 
and  extend  far  out  into  the  supply  chain,  to 
how  business  partners  around  the  world  order 
supplies  and  screen  employees  and  seal  con¬ 
tainers  laden  with  goods  bound  for  the  United 
States.  Although  C-TPAT  is  a  voluntary  pro¬ 
gram,  for  large  companies  that  want  their 
goods  to  get  into  the  United  States  quickly— 
and  for  small  companies  that  want  those  large 
companies’  business— joining  is  not  really  an 
option.  It’s  a  necessity. 

In  fact,  by  issuing  the  guidelines  Wheatley 
was  trying  to  meet,  the  U.S.  government  itself 
is  not  trying  to  impose  its  will  on  importers— 
not  directly,  anyway.  Instead,  Customs  is 
counting  on  companies  such  as  Sony  to  do 
the  enforcement,  in  perhaps  the  most  ambi¬ 
tious  of  all  the  public  and  private  partner¬ 
ships  that  the  government  has  made  its 
rallying  call  since  9/11. 

“It’s  to  some  degree  ‘voluntary’  with  both 
arms  tied  behind  my  back,”  is  how  Pinkerton 


Consulting  &  Investigations  consultant  Barry 
Wilkins  describes  the  program,  having  helped 
more  than  30  companies,  mostly  Fortune  100, 
through  the  C-TPAT  process. 

What  remains  to  be  seen  is  whether  Cus¬ 
toms  can  strike  the  right  balance  between 
making  the  guidelines  stringent  enough  to 
actually  improve  security  and  flexible  enough 
so  that  companies  won’t  balk  at  joining,  even 
though  participation  means  trying  to  wrap 
their  arms  around  complex  supply  chains  in  a 
way  they’ve  never  before  contemplated.  That 
when  anything  that  might  slow  down  com¬ 
merce  is  viewed  with  skepticism,  and  when 
merely  getting  different  divisions  of  your  com¬ 
pany  to  agree  about  the  purpose  of  fences  can 
be  a  struggle  all  its  own. 

“Clearly  some  countries  think  this  is  a  U.S. 
problem  and  not  their  problem,”  Wheatley 
says.  “It’s  a  matter  of  sensitizing  people  to  the 
fact  that  we’re  in  a  global  economy,  and  what 
affects  one  partner  is  going  to  have  a  ripple 
effect  back  to  other  countries.  [C-TPAT]  is  a 
massive  undertaking  and  a  bit  of  a  sales  job.” 

The  truth  is,  the  guidelines  that  Customs 
officials— and  by  extension  C-TPAT  mem¬ 
bers— are  hawking  are  still  very  much  on 
rough  waters. 

Moving  the  Global  Economy 

Even  as  Wheatley  speaks,  100  miles  north  of 
his  office  in  San  Diego,  ships  from  all  over  the 
world  are  easing  their  way  into  the  ports  of 
Los  Angeles  and  Long  Beach,  the  largest  port 


area  in  the  United  States  and  the  third  largest 
in  the  world.  The  ships  are  packed  tight  with 
the  building  blocks  of  the  global  economy: 
20-foot-long  and  40-foot-long  containers  full 
of  TV  sets,  tennis  shoes  and  tomatoes.  Some 
20,000  containers  a  day— 45  percent  of  all 
loaded  containers  coming  into  the  United 
States— make  their  way  through  these  ports 
and  on  to  the  rest  of  the  country  by  way  of 
train  and  truck.  If  you  wonder  what  that 
means  for  the  nation’s  economy,  just  ask 
William  Ellis,  director  of  security  for  the  Port 
of  Long  Beach. 

“Two  billion  dollars  a  day,”  Ellis  says,  refer¬ 
ring  to  the  cost  of  a  dockworkers  strike  at  his 
port  in  late  2002,  which  brought  cargo  ship¬ 
ping  there  to  a  grinding  halt.  “In  10  days,  we 
had  a  $20  billion  impact  on  the  U.S.  economy. 
If  all  shipping  was  shut  down,  it  would  be 
devastating.” 

Yet  that’s  precisely  what  many  observers 
fear  could  happen  if  terrorists  managed  to 
sneak  a  dirty  bomb,  or  even  just  the  equivalent 
of  a  car  bomb,  into  one  of  those  containers  and 
detonate  it  in  the  United  States. 

“After  Sept.  11,  we  threw  the  globalization 
kill  switch”  by  shutting  down  air  transporta¬ 
tion,  says  Stephen  Flynn,  a  former  U.S.  Coast 
Guard  commander  who  is  widely  recognized  as 
the  country’s  leading  expert  on  cargo  security. 
“My  fear  is  that  something  happens  on  a  truck 
or  a  train  or  a  ship,  and  we  throw  that  trans¬ 
portation  kill  switch  again  to  sort  things  out; 
and  we  don’t  even  start  with  the  [security] 


Port  Boys  Complaint 

FOR  YEARS,  THE  CARGO  SUPPLY  CHAIN  HAS  BEEN 
ENCUMBERED  BY  SLOW  SECURITY  CHECKS.  C-TPAT 
WANTS  TO  CHANGE  THAT. 

IN  THE  TEAM-BUILDING  PORTION  at  your  last  company  offsite,  you  proba¬ 
bly  remember  an  exercise  where  group  A  led  group  B  through  an  obstacle 
course.  Presumably  group  B  exited  the  course  unscathed.  The  game  is  simi¬ 
lar  to  the  real-life  scenario  being  played  out  at  shipping  ports  around  the 
world  today:  In  an  attempt  to  lead  businesses  through  transport’s  security 
maze,  the  U.S.  Bureau  of  Customs  and  Border  Protection  has  created  sev¬ 
eral  programs  to  improve  the  inherent  lack  of  trust  in  the  cargo  system  so 
that  things  move  more  swiftly  through  the  supply  chain. 

The  Customs-Trade  Partnership  Against  Terrorism,  or  C-TPAT,  is  a  joint 


30  www.csoonline.com  September  2003 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


Shipping  Stats 

16  million  containers 
arrive  in  the  United  States 
each  year. 

5.7  million  sea  contain¬ 
ers  were  processed  by  the  U.S. 
Bureau  of  Customs  and  Border 
Protection  in  2001. 

95  percent  of  U.S.  trade 

travels  by  sea. 

Two-thirds  of  an  con¬ 
tainers  arriving  in  the  United 
States  by  sea  come  from  or 
through  the  world’s  20  largest 
ports. 

baseline  we  had  with  aviation.  The  time  it  will 
take  to  restore  public  confidence  will  have  an 
incredibly  disruptive  impact  on  the  economy.” 

That’s  because  the  global  shipping  industry 
has  evolved  for  speed,  reliability  and  effi¬ 
ciency— not  security.  Consider  this:  An  im¬ 
porter  can  move  a  container  holding  30  tons  of 
material  from  Asia  to  the  West  Coast  for  as 
little  as  $2,500.  That’s  about  4  cents  a  pound. 
“It  makes  the  postage  stamp  look  a  little  over¬ 
priced,”  Flynn  quips. 

U.S.  companies  built  empires  on  this  sys¬ 
tem,  moving  manufacturing  offshore  and 
slashing  inventories.  They  came  to  view  a  cer¬ 
tain  amount  of  cargo  theft  and  drug  smug¬ 


gling  the  way  department  stores  view  shoplift¬ 
ing:  not  at  all  desirable,  but  nevertheless  a  cost 
of  doing  business.  Only  about  2  percent  of 
incoming  containers  are  physically  inspected 
by  Customs.  “We  basically  decided  that  given 
the  benefits  of  the  system,  it  wasn’t  worth  the 
hassle  of  going  after  all  these  activities,”  says 
Flynn,  a  senior  fellow  in  national  security  stud¬ 
ies  at  the  Council  on  Foreign  Relations. 

In  post-9/ll  waters,  of  course,  the  risks  are 
different  than  routine  theft  and  drug  smug¬ 
gling,  and  protecting  against  them  is  a  daunt¬ 
ing  task.  APL,  one  of  the  world’s  largest 
shipping  companies,  estimates  that  an  end-to- 
end  supply  chain  can  involve  up  to  25  par¬ 
ties— each  with  their  own  facility,  staff  and 
procedure— and  35  to  40  shipping  documents 
per  container.  “For  a  ship  carrying  3,000  con¬ 
tainers,  more  than  100,000  documents  need 
to  be  managed  to  some  degree,”  says  Earl 
Agron,  director  of  port  and  container  secu¬ 
rity  of  APL.  Because  of  this  tremendous  com¬ 
plexity,  no  one  has  ever  tried  to  secure  the 
shipping  supply  chain  from  end  to  end. 

That  is,  until  now. 

Uncle  Sam  Steps  In 

On  Sept.  24,  2001,  former  chief  of  the  Drug 
Enforcement  Administration  Robert  Bonner 
was  sworn  in  as  the  commissioner  of  the  U.S. 
Customs  Service,  now  known  as  the  U.S. 
Bureau  of  Customs  and  Border  Protection. 
“Terrorism  is  our  highest  priority,  bar  none,” 
Bonner  told  the  Chicago  Tribune  shortly  after 


his  appointment.  The  war  on  drugs  was  effec¬ 
tively  over. 

Since  then,  much  of  the  attention  in  the 
press  has  been  on  Customs’  controversial  24- 
hour  manifest  rule,  which  requires  compa¬ 
nies  to  submit  shipping  information  to 
Customs  24  hours  before  goods  are  loaded 
onto  a  vessel  headed  to  the  United  States.  But 
most  of  what  Customs— now  lodged  within 
the  Department  of  Homeland  Security— has 
done  has  been  of  a  kinder,  gentler  sort. 

The  Container  Security  Initiative  (CSI),  for 
instance,  is  a  program  in  which  Customs  offi¬ 
cers  are  placed  in  ports  around  the  world  to 
search  high-risk  cargo  headed  to  the  United 
States.  The  program  is  voluntary,  but  an  FAQ 
at  the  Customs’  website  promises  that  “in  the 
event  of  a  terrorist  attack  using  a  cargo  con¬ 
tainer,  CSI  ports  would  remain  in  operation 
because  they  have  a  security  system,  CSI,  in 
place.” 

C-TPAT,  meanwhile,  is  the  equivalent 
carrot-not-stick  program  for  American  busi¬ 
nesses.  Announced  in  April  2002,  it  requires 
member  companies  to  conduct  a  security 
assessment  of  their  entire  supply  chain,  quiz 
business  partners  about  security,  outline  plans 
for  improvement,  and  eventually  let  Customs 
come  in  and  validate  those  processes.  In 
return,  Customs  promises  members  a  “fast 
lane”  through  the  border,  along  with  other 
benefits  such  as  the  option  to  set  up  monthly 
billing  rather  than  paying  duties  shipment- 
by-shipment. 


initiative  between  the  government  and  the  private  sector  aimed 
at  safely  expediting  containers  through  ports.  Companies  that 
promise  to  use  good  security  measures  and  provide  documenta¬ 
tion  of  the  containers’  contents  to  Customs  officials  will  be 
rewarded  with  an  accelerated  shipping  schedule— kind  of  like  a 
fast  lane  for  cargo.  Those  that  enroll  in  the  program  must  per¬ 
form  self-assessments  of  their  supply  chain  security  and  imple¬ 
ment  a  security  program  that  follows  C-TPAT  guidelines,  which 
focus  on  security  compliance  of  facilities,  access,  procedures, 
personnel,  documentation  and  training. 

“Anyone  at  a  terminal  of  a  trucking  company  could  infiltrate 
the  cargo  supply  chain,  especially  overseas  where  background 
checks  aren't  allowed,"  says  Ken  Wheatley,  vice  president  of  cor¬ 
porate  security  for  Sony  Electronics.  “The  obvious  difficulty  lies 
in  managing  a  coordinated  effort  between  various  government 


entities.  If  you  have  DEA,  FDA  and  Customs  independently 
coming  up  with  regulations  without  communicating  with  each 
other,  the  end  users  will  get  caught  in  a  vice  with  inconsistent 
standards.” 

' 

Another  Customs  initiative,  called  the  Container  Security  Ini- 
tiative,  or  CSI,  was  launched  in  January  2002,  to  ensure  the  secu¬ 
rity  of  containers  in  transit  by  using  technology  to  prescreen  and 
secure  containers.  Of  the  top  20  ports  worldwide,  18  have  already 
joined  CSI.  According  to  Wheatley,  becoming  a  member  of  the 
initiative  means  you  are  “a  trusted  importer."  To  attain  that  sta- 
tus,  you  must  provide  Customs  with  details  of  what  you’re  ship¬ 
ping  and  documentation  that  demonstrates  that  you  are  shipping 
it  safely. 

-Kathleen  Carr 


, 


''Pa 


September  2003  www.csoonline.com  31 


Cover  Story  I  Supply  Chain 


5 


mss* 


William  Ellis, 
director  of 
security  for  the 
Port  of  Long 
Beach,  says  no 
one  has  worked 
out  an  effective 
supply  chain 
security  process 
"because  so 
many  different 
people  are 
involved  " 


“What  we’re  trying  to  do  is  get  more 
detailed  information  [so  we  can]  get  the  low- 
risk  cargo  out  of  the  way  and  focus  on  the 
high-risk  cargo,”  says  C-TPAT  Director  Robert 
Perez,  who  before  9/11  was  one  of  Customs’ 
lieutenants  in  the  war  on  drugs. 

At  first,  the  program  was  opened  to 
importers  only— the  General  Motors  and 
Targets  of  the  world.  “They  had  the  most 
clout,”  Perez  explains.  Carriers,  including  ship¬ 
ping  and  trucking  companies  and  airlines, 
were  brought  on  next— followed  by  the  bro¬ 
kers  and  freight  forwarders  that  serve  as  inter¬ 
mediaries  between  carriers  and  importers. 
Most  recently,  U.S.  marine  port  authorities 

Four  Slow 
Steps  to  the 
Fast  Lane 

COMPANIES  THAT  JOIN  the  Customs- 
Trade  Partnership  Against  Terrorism, 
or  C-TPAT,  agree  to  secure  their  supply 
chain  in  return  for  a  “fast  lane”  at  border 
crossing.  Here’s  the  rundown  on  the 
process  and  the  number  of  companies 
that  have  gotten  that  far,  as  of  July  2003. 

Step  Is  Sign  Up 

Sign  a  memorandum  of  understanding 
stating  that  your  company  intends  to 
participate  in  C-TPAT. 

So  far,  3,800  companies  have  signed. 

Step  2:  Apply 

Complete  a  questionnaire  about  your 
company's  security  procedures,  which 
include  asking  business  partners  about 
theirs. 

2.400  companies  have  applied. 

Step  3:  Get  Certified 

If  Customs  approves  the  application, 
your  company  will  be  recognized  as 
C-TPAT  certified. 

1.400  companies  have  been  certified. 

Step  4:  Get  Validated 

A  Customs  team  comes  to  check  that 
what  you  said  on  your  application  is 
really  true. 

20  companies  have  been  approved. 


were  added  to  the  mix. 

So  far,  more  than  3,800  companies  have 
signed  memorandums  of  understanding  stat¬ 
ing  their  intention  to  join  C-TPAT.  Of  those, 
more  than  2,400  have  filled  out  a  security 
questionnaire  detailing  how  they’re  protecting 
their  supply  chain,  and  Customs  has  certified 
more  than  1,400  of  those  applications. 

Members  are  starting  to  see  the  benefits. 
When  a  new  security  alert  is  issued,  “instead 
of  peaks  and  valleys,  we  haven’t  had  any  slow¬ 
downs,”  says  Randy  Arnt,  executive  director  of 
corporate  security  for  paper  company 
Kimberly-Clark.  “Everybody  else  that’s  part 
of  this  process  has  experienced  the  same  thing. 
At  this  point,  if  you’re  a  large  company  and 
you  haven’t  been  certified,  you’re  really  at  a 
competitive  disadvantage.” 

Observers  also  note  that,  as  Customs  had 
hoped,  the  program  has  cascaded  far  beyond 
the  companies  that  are  directly  involved. 
Pinkerton’s  Wilkins  says  that  as  part  of  the 
certification  process,  one  client  alone  sent 
1,200  letters  to  business  partners  asking  about 
their  security  processes. 

“It’s  the  domino  effect,”  says  Agron,  whose 
company,  APL,  has  been  on  the  receiving  end 
of  such  letters.  “They  start  out,  ‘Dear  Ocean 
Carrier,  As  part  of  the  process  of  becoming 
C-TPAT  certified,  we  need  to  know  if  you’re  a 
member  of  C-TPAT.  If  you’re  not,  do  you  do 
the  following?’  We  don’t  have  to  fill  out  the 
questionnaire  because  we  just  say  we’re 
C-TPAT  compliant.” 

DHL  Danzas  Air  &  Ocean,  a  freight  for¬ 
warder  that  contracts  with  shipping  compa¬ 
nies  such  as  APL  to  move  customers’  goods 
from  one  place  to  another,  is  starting  to 
include  the  certification  in  its  vendor  contract 
negotiations.  “We  prefer  that  any  company 
we  hire  as  a  service  provider  is  compliant  so 
there’s  less  chance  of  delay,”  says  Art  Arway, 
director  of  security  for  the  Americas.  “We 
don’t  require  that  at  this  point,  and  whether 
we  will  require  it  is  a  subject  of  some  debate.” 

But  at  DaimlerChiysler— which  is  a  C-TPAT 
charter  member,  along  with  BP  America, 
Ford,  General  Motors,  Motorola,  Sara  Lee 
and  Target— the  debate  is  over.  The  program 
is  becoming  a  requirement.  By  FY03,  Daim- 
lerChrysler  will  require  trucking  companies 
that  transport  its  products  across  the  U.S.  and 
Canadian  border  to  join  C-TPAT. 


More  Than  Lip  Service? 

That’s  just  what  Customs  wants  to  hear.  The 
problem  is  that  right  now,  Customs  is  just 
rubber-stamping  applications  that  look  good. 
As  of  July,  of  the  2,400  companies  that  have 
applied  for  the  program,  Customs  went  onsite 
to  validate  only  about  20  companies’  security 
processes.  Fifteen  of  those  companies  were 
importers,  and  it’s  widely  assumed  that  about 
half  of  those  were  charter  members— the  very 


32  www.csoonline.com  September  2003 


companies  chosen  for  validation.  “If  the  vali¬ 
dations  are  done  of  100  of  the  biggest  com¬ 
panies,  or  the  first  100  who  sign  up,  then  that’s 
not  a  valid  sample,”  says  Stuart  Seidel,  a  part¬ 
ner  with  law  firm  Baker  &  McKenzie,  who 
has  been  helping  clients  interpret  the  guide¬ 
lines.  “If  it’s  an  assortment  of  companies,  then 
that  goes  a  long  way  to  validating  the  pro¬ 
gram,  plus  it  keeps  people  on  guard.  I  don’t 
think  [the  small  number  of  validations  is]  a 
problem  right  now  because  the  companies 
that  have  applied  for  participation  probably 
are  trying  to  do  a  good  job  of  security.  The 
problem  is  going  to  come  in  the  future.  If  Cus¬ 
toms  can’t  check  on  the  filings,  a  lot  of 
additional  companies  that  may  not  be  as 
responsible  will  try  to  get  into  the  program 
without  adopting  the  security  procedures.” 

Perez,  not  surprisingly,  won’t  comment  on 
which  companies  are  being  validated,  except 
to  say  that  the  first  100  validations  will  include 
more  than  importers. 

What  remains  to  be  seen  is  whether  the 
guidelines  Customs  is  checking  against  will 
be  strict  enough  to  make  a  difference.  In  dis¬ 
cussing  the  process  of  joining  C-TPAT,  people 
talk  about  the  paperwork  involved— not  the 
security  improvement  they’ve  made.  And 
every  care  has  been  taken  to  assure  companies 
that  the  process  won’t  slow  them  down,  which 
seems  to  hold  true  right  through  to  the  end. 
DaimlerChrysler’s  Bill  Cook,  senior  manager 
of  corporate  customs,  international  supply 
and  customs  supply,  brushes  off  the  validation 
process.  “It  was  a  couple  of  days’  worth  of  vis¬ 
its,”  he  says.  “We  took  them  to  some  local  facil¬ 
ities  that  could  well  display  how  our  supply 
chain  works.” 

“Nobody  has  complained  that  it  was  diffi¬ 
cult,”  says  Pinkerton’s  Wilkins,  who  has 
worked  with  about  a  dozen  of  the  companies 
that  have  been  validated.  “Those  that  have 
been  through  the  validation  process  have 
found  that  Customs  was  fair  and  reasonable, 
and  they  sort  of  described  it  as  painless.  [Cus¬ 
toms  is]  in  and  out  in  10  days  or  less.” 

But  underlying  such  alleged  painlessness  is 
a  question  of  whether  Customs  is  going  too  far 
to  keep  the  industry  happy,  at  security’s 
expense.  “I  don’t  want  to  be  quoted  as  saying 
Customs  should  do  a  better  job,  but  in  some 
cases  [the  companies]  wanted  more  sug¬ 
gestions  than  they  got,”  Wilkins  says.  “But 


companies  that  helped  Customs  hammer  out 
the  guidelines  in  the  first  place. 

“We’re  in  a  very  queasy  period,”  the  Coun¬ 
cil  on  Foreign  Relations’  Flynn  says.  ‘The  chal¬ 
lenge  for  C-TPAT  is  to  move  from  a  trust-based 
system  to  a  trust-but-verify  system.  We  have  to 
get  more  policing.” 

To  do  that,  the  program  needs  more  fund¬ 
ing  than  the  $8.3  million  it  currently  has.  Cus¬ 
toms  has  asked  for  an  additional  $12  million 


in  C-TPAT  funding  for  FY04  and  is  working 
on  hiring  more  than  100  additional  staff 
members,  whose  responsibilities  will  include 
helping  the  30  who  are  currently  plodding 
through  the  validations.  Perez  says  120  vali¬ 
dations  are  in  the  pipeline  and  that  he  is  aim¬ 
ing  to  have  at  least  100  done  by  November. 

That  may  seem  a  pittance,  but  observers 
point  out  that  the  number  of  completed  vali¬ 
dations  may  be  less  important  than  the 


PHOTO  BY  MARK  ROBERT  HALPER 


September  2003  www.csoonline.com  33 


Cover  Story  |  Supply  Chain 


Bells,  Whistles  and 
High-Tech  Seals 


Customs  isn’t  a  consultant.” 

In  fact,  that’s  the  whole  problem  with  the 
concept  of  public  and  private  partnerships 
that  the  Department  of  Homeland  Security 
has  been  counting  on  as  a  way  to  improve  the 
nation’s  security:  Guidelines  have  to  be  lenient 
enough  that  companies  will  volunteer,  but 
strict  enough  to  make  a  difference.  “It’s  a  bal¬ 
ance  between  the  security  that’s  involved  and 
business  requirements,  so  that  you  don’t  intro¬ 
duce  initiatives  that  disrupt  the  economy,” 
DaimlerChrysler’s  Cook  says. 

The  lip  service  might  be  enough  at  some 


ONE  GPS  PROTOTYPE  PERSUADES  CONGRESS  TO  RESEARCH 
SUPPLY  CHAIN  WEAKNESSES 

IN  THE  SPRING  OF  2002,  a  container  of  lightbulbs  made  its  way  from  an  Osram  Syl- 
vania  factory  in  Nove  Zamke,  Slovakia,  through  the  German  port  of  Hamburg  and  on 
to  Montreal  before  getting  waylaid  on  its  way  to  Hillsboro.  N.H.,  by  a  truck  driver  who 
cruised  through  a  few  of  Montreal’s  grittier  neighborhoods  and  then  took  a  long  break 
at  the  first  rest  stop  over  the  border  in  Vermont. 

The  extra  six  or  seven  hours  between  Montreal  and  Hillsboro  probably  wasn't  any¬ 
thing  too  unusual,  in  and  of  itself  What  was  unusual  was  that  an  onboard  GPS  device 
allowed  a  team  of  researchers  to  learn  of  the  delay— just  one  of  the  many  security 
risks  along  the  complicated  supply  chains  that  bring  imported  goods  to  the  United 
States  every  day. 

“It  took  one  prototype,  to  a  large  extent,  to  get  people  in  the  government  more 


aware  of  what  we're  talking  about,”  says  Stephen  Flynn,  a  former  U.S.  Coast  Guard 
commander  who  is  an  expert  on  the  homeland  security  risks  invdlved  with  cargo 
shipping. 

This  prototype  for  Operation  Safe  Commerce  was  enough  of  a  success— and 
enough  of  a  failure,  between  the  truck  driver's  tardiness,  an  improper  seal  on  the  con¬ 
tainer  and  a  GPS  device  rendered  useless  while  the  container  was  in  the  hold  of  the 
ship— that  it  spawned  $58  million  in  funding  from  Congress  to  the  Transportation 
Security  Administration.  The  pilot  program,  which  should  be  completed  by  July  2004, 
is  intended  to  analyze  not  only  supply  chains  and  their  weaknesses  but  also  how 
technology  might  reduce  those  risks.  The  nation’s  three  largest  port  areas— the  ports 
of  Seattle  and  Tacoma;  Los  Angeles  and  Long  Beach;  and  the  Port  Authority  of  New 


York  and  New  Jersey— are  coordinating  the  importers,  shippers,  freight  forwarders 
and  technology  providers  that  are  participating. 

“Nobody  has  really  put  together  a  supply  chain  security  process  and  done  a  thorough 
analysis  of  it,  primarily  because  there  are  so  many  different  people  involved,”  says  William 
Ellis,  director  of  security  for  the  Port  of  Long  Beach.  “It’s  just  a  massive  undertaking.” 

The  technology  being  tested,  among  other  things,  includes  GPS  for  tracking  ship¬ 
ments,  intrusion  detection  technologies  that  monitor  light  and  motion  inside  a  sealed 
container,  sensors  for  radioactive  material  and  electronic  seals  that  contain  informa¬ 
tion  about  what  the  container  holds  and  can  also  show  evidence  of  tampering. 

“We're  hoping  that  through  Safe  Commerce,  we'll  find  systems  that  work,  and 
those  systems  will  be  applied  to  all  cargo  moving  anyplace  in  the  world,”  says  Jim 
Serrill,  director  of  seaport  security  for  the  Port  of  Seattle.  -S.S. 


companies.  “From  time  to  time  you’ll  find 
[security]  standards  slipping,  and  when  you 
go  back  to  the  business  units,  they  say,  Gee 
whiz,  we’d  like  to  do  that  but  we’re  in  cost¬ 
cutting  mode,”  Kimberly-Clark’s  Arnt  says. 
“The  thing  I  feel  best  about  is  that  now  we 
have  a  tool  to  say,  ‘This  is  something  we  have 
to  do  to  make  sure  that  we  remain  on  the  fast- 
track  program.’  That’s  an  easy  argument  to 
sell  to  management.” 

The  question:  If  there  is  some  kind  of  ter¬ 
rorist  attack  involving  cargo  security  before  C- 
TPAT  has  the  credibility  that  Customs  hopes 
it  will  gain,  will  the  entire  program  be  sunk? 

“If  we  don’t  get  enough  muscle  into  the  ini¬ 
tiatives  to  make  people  confident,  my  fear  is 
that  the  inherent  good  wisdom  [of  Customs’ 
voluntary  programs]  will  get  discredited,” 
Flynn  says.  “The  trade  industry  has  not  come 
to  grips  with  the  fact  that,  post-event,  the 
things  they’re  doing  just  aren’t  going  to  pass 
the  public  confidence  test.” 

And  that  could  mean  that,  for  all  the  pub¬ 
lic  and  private  partnerships  kumbaya-ing,  in 
the  long  run,  C-TPAT  will  be  nothing  more 
than  the  groundwork  for  industiy  regulations. 
“Anything  is  possible,”  Customs’  Perez  admits. 
“I’m  not  going  to  say  that  that  isn’t  something 


that’s  a  possibility.  But  there  is  no  serious 
talk  to  that  end  for  now.  The  focus  of  this 
program  from  the  get-go  has  been  on  self¬ 
policing.” 

APL’s  Agron,  for  one,  is  cheering  him  on. 
“We’re  a  Bob  Perez  fan,  a  C-TPAT  fan,  because 
if  C-TPAT  fails  then  we’re  going  to  look  at 
government  mandates  that  are  devised  and 
defined  by  people  who  don’t  understand  secu¬ 
rity,”  he  says,  noting  that  one  law  introduced 
in  the  U.S.  House  of  Representatives  last  Feb¬ 
ruary  essentially  proposes  that  100  percent  of 
all  cargo  entering  the  United  States  be 
inspected.  “Obviously  you  can’t  do  that,” 


Agron  says.  “The  fact  that  the  law  has  even 
been  proposed  says  that  we  really  have  to 
make  this  work.”  ■ 

Senior  Writer  Sarah  D.  Scalet  can  be  reached  at 
sscalet&cxo.com. 

Physical  Security  Resources 

Learn  how  companies  protect  cargo  and  other  physical 
assets  by  visiting  CSOonline’s  THREATS  &  RECOVERY 
RESEARCH  CENTER.  There  you’ll  find  articles  about 
designing  secure  (and  beautiful)  buildings,  protecting 
the  perimeter  of  Boston  Harbor  and  using  biometrics  on 
the  battlefield.  Go  to  www.csoonline.com/threats. 


34  www.csoonline.com  September  2003 


Not  with  us  it  isn't. 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 

►►  CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 


net© 

Work  Smarter® 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


■ 

1 

...  ;f; 4  7- 

1 

! 

IAN  CHEESEMAN  IS  PRESIDENT  OF 

LVA  Communications,  a  small  public  relations 
consultancy  headquartered  in  Niantic,  Conn.,  with 
subsidiary  offices  in  New  York  City  and  Silicon 
Valley.  But  earlier  in  his  career  he  was  the  data- 
processing  manager  for  a  municipal  insurance  com¬ 
pany— a  fact  that  may  have  something  to  do  with  one 
of  LVA’s  employee  termination  procedures. 

LVA  is  a  contractor  to  its  string  of  high-tech 
clients,  and  consequently  its  employees  are  routinely 
granted  high-level  access  to  its  clients’  systems.  “With 
most  of  our  clients,  we  can  get  in  behind  the  firewall,” 
Cheeseman  says.  “But  we’ve  noticed  that  while  com¬ 
panies  may  be  diligent  about  blocking  access  for 
their  own  former  employees,  they  often  don’t  seem 
to  have  a  system  for  dealing  with  contractors’ 
employees.  If  someone  at  a  contractor  left,  the  client 
company  might  not  find  out  about  it  for  months— if 
at  all.”  So  when  a  worker  leaves  LVA,  the  company 
is  proactive  about  communicating  that  to  affected 
clients.  LVA  collects  items  such  as  contractor  ID 
badges  as  a  routine  part  of  the  termination  process. 
As  soon  as  the  employee  has  left,  says  Cheeseman, 
LVA’s  human  resources  administrator  telephones 
the  client  companies  on  whose  behalf  the  individual 
in  question  worked.  “Then  we  follow  up  that  call 
with  an  e-mail  so  that  there’s  a  paper  trail,"  he  adds. 
“The  message  is  quite  specific:  This  individual  has 
left  our  employment  and  should  no  longer  be 


Poorly  handled,  employee 
terminations  can  create  a  slew  of 
security  risks.  That’s  why  CSOs  need 
to  create  a  thorough,  dignified 
process  for  letting  workers  go. 

BY  MALCOLM  WHEATLEY 


IN  THIS  STORY:  Why  terminations  are  often  done 
badly  ■  Commonly  overlooked  steps  in  recovering  and 
protecting  corporate  assets  ■  Technologies  that  can 
help  manage  and  automate  the  process 


ILLUSTRATION  BY  GERARD  DUBOIS 


September  2003  www.csoonline.com  37 


Employee  Termination 


allowed  access  to  your  premises  or  your  data.’” 

After  a  spate  of  well-publicized  incidents 
where  former  employees  wreaked  havoc  after 
gaining  access  to  companies’  systems— and 
premises— the  security  processes  for  employee 
terminations  ought  to  be  nailed  down  hard 
and  fast  by  now.  As  every  new  breach  makes 
clear,  though,  that’s  simply  not  the  case.  It’s 
not  as  if  the  task  is  a  difficult  one;  updating 
passwords  and  retrieving  access  cards  is 
hardly  rocket  science.  But  it’s  no  mystery  why 
it  just  doesn’t  get  done  in  a  thorough  manner. 
Firing  or  laying  off  an  employee  is  an  uncom¬ 
fortable  experience  that  even  highly  profes¬ 
sional  line-of-business  managers  would  rather 
not  think  about.  The  result?  From  the  security 
perspective,  the  process  of  firing  people  is 
often  a  mess.  As  Joe  Magee,  former  CSO 
of  Top  Layer  Networks,  says,  “When  termi¬ 
nations  happen,  there’s  often  considerable 
chaos  and  a  lot  going  on.  It’s  easy  for  things  to 
get  overlooked  and  for  security  measures  to 
take  second  place.” 

But  by  pulling  together  a  thorough,  docu¬ 
mented,  humane  procedure  for  employee  ter¬ 
minations,  the  CSO  can  help  make  the  process 
easier— though  not  painless— for  all  involved, 
protecting  the  physical  and  digital  assets  of  the 
company  as  well  as  the  dignity  of  the  depart¬ 
ing  employees  and  their  supervisors.  Here’s 
some  advice,  garnered  from  experts,  on 
aspects  of  the  process  frequently  overlooked  or 
misunderstood. 

Absence  of  Progress 

How  widespread  is  the  lack  of  clear  thinking 
on  this  subject?  Hard-and-fast  figures  are 
scarce,  but  Margaret  McCausland,  a  partner  in 
the  Employment/Benefits/Labor  practice  of 
national  law  firm  Blank  Rome,  estimates— 
based  on  the  calls  she  gets  from  clients— that 
roughly  50  percent  of  companies  with  50  to 
100  employees  have  adequate  procedures  in 
place  for  letting  people  go.  With  larger  com¬ 
panies,  the  figure  improves— climbing  perhaps 
closer  to  80  percent.  However,  McCausland 
says  that  even  for  those  with  some  kind 
of  documented  process,  confusion  over  “the 
right  way”  to  do  the  job  actually  creates  more 
problems. 

For  an  example  of  a  common,  yet  inadvis¬ 
able  procedure,  McCausland  says  look  no  fur¬ 
ther  than  the  practice  of  ushering  departing 


employees  off  the  premises.  Far  from  pre¬ 
venting  people  from  stealing  data  or  lashing 
out  in  some  other  manner  at  their  former 
employers,  this  process  might  actually  be 
encouraging  them.  “Employers  sometimes  ask 
me,  ‘Should  we  escort  people  out?’  And  I  say 
to  them:  ‘Why?  Are  they  going  to  damage 
something  on  the  way  out?  Or  steal  some¬ 
thing?  No.  Treating  people  like  a  suspect  is 
more  likely  to  cause  them  to  retaliate.” 

“Treating  a  terminated  employee  as  a  seri¬ 
ous  security  risk— by  escorting  them  out  of 
the  building  under  guard,  for  example- 
increases  the  likelihood  that  they  will  be  a 
danger,”  agrees  David  Creelman,  chief  of  con¬ 
tent  and  research  at  human  resources  man¬ 
agement  portal  HR.com.  “Terminated 
employees  don’t  have  guns  to  pull  at  the  ter¬ 
mination  interview.  But  if  they  feel  betrayed 
and  humiliated  then  they  may  go  home,  get  a 
gun  and  come  back.  Most  companies  overre¬ 
act  on  security.  They  march  good  people  out 
the  door  under  security  escort,  which  simply 


terminations 
happen,  there’s 
often  considerable 
chaos  and  a  lot 
going  on.  It’s  easy 
for  things  to  get 
overlooked  and  for 
security  measures 
to  take  second 
place. 

-JOE  MAGEE,  FORMER  CSO  OF 
TOP  LAYER  NETWORKS 


damages  morale  in  the  company  and  greatly 
enhances  the  likelihood  of  a  wrongful  termi¬ 
nation  suit  or  other  retaliatory  action.” 

Top  CSOs  chime  in  as  well  on  this  point. 
“You  probably  are  asking  people  to  retaliate,” 
says  Grant  Crabtree,  vice  president  of  corpo¬ 
rate  security  at  Alltel,  an  $8  billion  telecom 
service  company.  “Under  some  circumstances 
it  might  be  warranted,  but  it  would  have  to  be 
exceptional  for  us  to  do  that.  I  think  many  of 
my  colleagues  would  agree.” 

McCausland  says  existing  termination  poli¬ 
cies  frequently  focus  on  things  that  touch  only 
peripherally  on  security  issues,  if  at  all. 
Instead,  their  focus  is  often  on  avoiding  unfair 
dismissal  suits  and  the  like.  “Companies  have 
become  accustomed  to  lawsuits  and  litigation 
when  terminating  people  and  now  think 
ahead  and  say,  ‘Should  I  terminate  this  per¬ 
son?  And  if  so,  how  do  I  terminate  them?”’  she 
says.  “But  beyond  that,  they  often  don’t  think 
very  far  ahead  at  all.” 

Disabling  information  systems  access  is 
another  area  that  a  good  policy  should  spell 
out  clearly.  “It’s  one  of  the  great  missed  oppor¬ 
tunities  in  security,”  says  Giuseppe  Cimmino, 
director  of  corporate  systems  architecture  at 
Discovery  Communications,  the  parent  com¬ 
pany  of  the  Discovery  Channel,  Animal  Planet 
and  The  Learning  Channel.  “Security  con¬ 
sultants  focus  on  the  bits  and  bytes  of  fire¬ 
walls  and  not  on  the  accounts  that  remain 
provisioned  for  people  who  don’t  exist.”  Once 
again,  hard  evidence  is  scant,  but  what  evi¬ 
dence  there  is  certainly  supports  Cimmino’s 
assertion.  A  survey  into  corporate  identity 
management  practices,  published  jointly  by 
Novell  worldwide  services,  Stanford  Univer¬ 
sity  and  Hong  Kong  University  of  Science  and 
Technology  in  March  2003,  found  that 
43  percent  of  companies  surveyed  took  more 
than  two  days  to  revoke  the  access  rights  of 
departed  employees— and  that  15  percent  took 
more  than  two  weeks.  Incredibly,  some  busi¬ 
nesses  appeared  never  to  revoke  access  rights 
at  all. 

As  in  McCausland’s  anecdotal  experience, 
smaller  companies  did  indeed  perform  worse 
in  the  survey:  54  percent  of  companies  with 
fewer  than  10,000  employees  reported  a  lag  of 
more  than  two  days,  while  just  32  percent  of 
companies  with  more  than  10,000  employees 
reacted  as  slowly.  And  European  companies 


38  www.csoonline.com  September  2003 


Your  network  s  back  door 

ROGUE  MODEMS  OFTEN  ELUDE  THE  I.T.  DEPARTMENT’S  NOTICE 


Suspecting  that  he  is  about  to  be  fired,  the  employee  sets  up  a  “back 
door"  into  his  employer’s  systems.  Once  terminated,  he  uses  it  to 
wreak  havoc.  That’s  how  the  plot  goes  in  popular  fiction,  anyway.  But 
in  practice  it’s  harder  to  set  up  a  back  door  than  the  fiction  writers 
assume,  and  even  more  difficult  to  keep  it  hidden. 

Unless  you  use  a  modem.  “In  any  large  organization  around  the 
world,  you  will  find  modems  that  you  didn’t  know  existed  and  which 
aren’t  subject  to  the  barriers  that  firewalls  offer,”  says  Jon  Morris, 
managing  director  of  Ambersail,  a  Warrington,  U.K. -based  security 
consultancy.  “Companies  spend  an  absolute  fortune  on  firewalls  and 
security  procedures,  and  it  only  takes  a  single  modem  to  bypass  all 
that.” 

Using  “war  dialers,”  Ambersail  specializes  in  tracking  down  rogue 
modems,  counting  some  of  the  world’s  largest  companies  and  financial 
institutions  among  its  clients.  “We’ve  found  instances  of  production 


boxes  with  modems  attached  that  don’t  even  have  passwords,”  says 
Morris.  “You  can  dial  in,  and  you’ve  got  administration  rights  on  a 
production  box.  It’s  amazing.”  Typically,  he  says,  the  number  of 
modems  found  varies  between  3  percent  and  15  percent  of  docu¬ 
mented  extensions. 

Why  so  many?  IT  employees  themselves  are  often  to  blame, 
installing  modems  because  they  make  remote  troubleshooting  easier. 
Hardware  manufacturers  too  can  stipulate  that  a  modem  must  be 
attached  to  their  equipment  for  support  and  diagnostic  purposes. 

With  careful  thought,  Morris  says,  it’s  often  possible  to  reduce  the 
number  of  modems.  And  then  place  those  that  remain  on  a  strict  pass¬ 
word  regime,  updated  as  employees  leave.  “You  can’t  eliminate 
modems,  and  you  can’t  stop  employees  leaving— but  you  can  prevent 
departed  employees  using  them  to  gain  access,  once  you  know  where 
the  modems  are,”  he  says.  -M.W. 


reacted  more  slowly  than  did  North  American 
or  Asian  companies:  More  than  20  percent  of 
European  companies  took  two  weeks  or  more, 
while  just  10  percent  of  North  American  and 
Asian  companies  reported  taking  as  long. 

All  Kinds  of  Access 

The  conventional  wisdom  is  that  businesses 
are  most  at  risk  from  individuals  who  have 
been  abruptly  fired— perhaps  as  a  result  of 
performance-related  issues  or  through  down¬ 
sizing— and  who  consequently  harbor  a 
grudge.  While  that’s  probably  true,  experts 
stress  that  the  real  risk  is  much  broader. 

Individuals  who  have  left  voluntarily,  for 
example,  may  still  want  to  strike  back  or  sim¬ 
ply  seek  to  exploit  weaknesses  to  further  their 
careers  at  a  competitor.  The  Novell-Stanford- 
Hong  Kong  study,  for  example,  cites  a  former 
employee  at  a  global  investment  bank,  now 
working  for  a  competitor,  who  was  able  to 
access  her  voice  mail  for  months  after  she  had 
left,  gaining  access  to  all  internal  banking 
announcements.  That  kind  of  risk  can  even 
extend  to  current  employees,  as  companies 
typically  have  more  internal  movers  than  they 
do  leavers.  The  level  of  access  that  is  appro¬ 
priate  for  one  position  in  a  company  may  not 
be  appropriate  for  another,  but  how  many 
companies  proactively  (and  promptly)  change 
user  access  rights  when  individuals  move  from 
one  function  to  another? 


Not  as  many  as  ought  to,  asserts  Deepak 
Taneja,  CTO  of  security  software  purveyor 
Netegrity.  “We  see  this  a  lot,”  he  says.  “It’s  a 
real  problem.”  The  reason,  it  appears,  is  that 
businesses  are  blind  to  the  termination  impli¬ 
cations  of  internal  moves.  When  Joe  in  IT 
moved  to  customer  support,  his  access  rights 
were  left  unchanged,  either  because  of  apathy 
or  because  for  an  intended  interim  period  it 
actually  made  sense.  But  five  years  later,  when 
the  customer  support  function  is  outsourced 
and  Joe  is  suddenly  axed,  the  fact  that  the 
company  has  just  fired  someone  with  current 
IT-function  access  rights  is  forgotten— until  it 
is  too  late. 

The  potential  risk,  of  course,  goes  beyond 
mere  electronic  vandalism.  Many  employees 
who  might  think  twice  about  inflicting  dam¬ 
age  will  be  far  more  sanguine  about  stealing 
information.  And  incredibly,  “A  lot  of  people 
don’t  think  about  things  like  intellectual  prop¬ 
erty  and  commercially  sensitive  information 
when  undertaking  layoffs,”  warns  one  sea¬ 
soned  CSO  who  asked  not  to  be  identified. 

One  solution,  suggests  Bernie  Cowens,  vice 
president  of  security  services  at  IT  consulting 
and  security  solutions  company  Rainbow  Tech¬ 
nologies,  is  for  companies  to  go  through  a 
process  of  figuring  out  which  people  in  the 
organizational  hierarchy  have  high  levels  of 
access  and  to  then  make  sure  that  any  termi¬ 
nation  actions  involving  those  people  are  han¬ 


dled  with  kid  gloves.  “They  tend  not  to  be  peo¬ 
ple  with  big  titles— in  fact,  they  can  be  quite 
low-level,”  he  says.  “Then  bring  together  a 
standing  or  ad  hoc  committee  of  people  from 
legal,  human  resources  and  the  information 
security  function  to  go  through  a  step-by-step 
process  of  understanding  what  systems  each 
individual  has  access  to,  how  and  when  to  turn 
off  that  access,  and  when  to  remove  the  pass¬ 
words.” 

But  what  about  the  “average”  employee— 
someone  who  might  not  have  administrator 
rights  to  an  IT  system,  but  who  could  still  dam¬ 
age  or  steal  information  if  he  so  minded?  One 
answer  is  to  create  access  “profiles”  associated 
with  each  job  description  in  the  organization, 
laying  down  the  access  rights  that  an  individual 
in  each  position  has,  suggests  Michelle  Drolet, 
CEO  of  Conqwest,  a  Holliston,  Mass. -based 
security  and  policy-assessment  consultancy. 
Gathered  together  under  a  single  profile,  she 
says,  it’s  easier  to  see  when  individuals  have 
more  access  than  they  should,  and  it’s  much 
easier  to  switch  that  access  off  when  they  leave. 
“Firewalls  just  don’t  cut  it  anymore,”  she  says. 
“It’s  all  about  access  rights.” 

Discovery’s  Cimmino  points  out  that  regu¬ 
lar  housekeeping  is  required  to  keep  the 
details  of  access  rights  current.  At  his  com¬ 
pany,  for  example,  managers  routinely  receive 
e-mails  from  the  administration  function,  in 
effect  saying:  “This  is  who  we  think  you’ve  got 


September  2003  www.csoonline.com  39 


Digital  Document 
Security  and  IT: 
Everything  you 
need  to  know. 

What  are  the  most  significant 
•  digital  copier  security  issues? 

A#  Various  copier  print  controllers 
•  are  actually  servers  that  queue 
and  permanently  store  multiple 
document  files,  providing  administrator 
access  to  the  documents.  At  a 
minimum,  most  digital  copiers  retain 
the  last  document  processed;  some 
even  retain  multiple  documents 
totaling  hundreds  of  pages.  Others 
redirect  print  jobs  when  the  printer  is 
busy  or  jammed,  making  "denial  of 
service"  attacks  possible. 

.  #  How  does  Sharp  protect  the 
.  •  network  interface? 

A#  The  Sharp  Ethernet  card  allows 
•  administrators  to  restrict  access 
and  disable  unnecessary  protocols. 
With  this  network  card,  the  Sharp 
digital  copier  is  essentially  protected 
by  its  own  firewall. 

#  How  can  you  be  sure  that 
,  •  security  products  actually 
perform  as  claimed? 

A#  The  Common  Criteria  program 
•  — administered  by  the  U.S. 
National  Security  Agency  and  the 
National  Institute  of  Standards  and 
Technology — evaluates  security 
solutions.  Products  that  are  validated 
under  the  program  meet  security  levels 
consistent  with  ISO  1 5408  methodology. 

Q#  How  can  Sharp  improve  IT 
•  security? 

A#  Sharp  offers  print  privacy 
•  solutions  designed  to  restrict 
unauthorized  personnel  from  seeing 
confidential  materials.  Copier  access 
can  be  controlled  and  monitored, 
while  documents  retained  in  printer/ 
copier/scanner/fax  memory  are 
immediately  cleared  to  eliminate 
unauthorized  access. 


sharpusa.com 


be  sharp 


©2003  Sharp  Electronics  Corporation. 


Employee  Termination 


in  your  organization.”  Another  smart  tactic 
Cimmino  offers  is  to  provision  contract  and 
temporary  workers  with  accounts  that  have 
automatic  “stop  dates,”  after  which  they  cease 
to  function,  unless  extended.  In  theory,  of 
course,  the  account  gets  killed  the  day  the 
employee  leaves,  but  if  for  some  reason  that 
shouldn’t  happen,  the  stop  date  acts  as  a  use¬ 
ful  backstop. 

Hence  the  attraction  of  so-called  active 
directory  approaches,  where  a  dedicated 
system— often  linked  to  the  HR  system— man¬ 
ages  the  provisioning  and  de-provisioning  of 
user  accounts.  Especially  for  large  and  decen¬ 
tralized  organizations,  active  directory  man¬ 
agement  is  seen  as  a  way  to  securely  provide, 
and  remove,  user  rights  at  grassroots  level 
without  the  costs  of  a  hefty  IT  presence.  “As 
soon  as  the  notification  comes  from  HR,  an 
individual’s  account  is  disabled,”  says  Sieg¬ 
fried  Jagott,  an  IT  consultant  with  Siemens 
Business  Services.  Jagott  managed  the  imple¬ 
mentation  project  of  an  active  directory  man¬ 
agement  solution  from  Aelita  Software  for 
Siemens  Power  Generation  of  Munich,  Ger¬ 
many,  which  houses  22,000  employees.  The 
disabling  is  for  two  or  three  months,  after 
which  the  data  is  deleted— not  permanently, 
as  German  law  requires  its  retention  for  up  to 
10  years.  “The  disabling  feature  is  useful  as 
people  occasionally  return,  and  disabled 
accounts  can  be  reinstated  with  the  same  user 
name  and  other  details,”  Jagott  says. 

Man  with  the  Plan 

Helpful  as  they  are,  technical  solutions  are 
still  only  a  step  on  the  journey  toward  well- 
managed  terminations.  Happily,  a  few  com¬ 
panies  are  further  down  that  path.  British 
Telecom  (BT)  is  an  example.  Andy  Hodgson, 
vice  president  of  security  at  BT’s  global  serv¬ 
ices  division,  explains  that  with  just  100 
staffers  and  a  virtual  security  team  to  police 
the  security  of  the  20,000-employee  division 
(which  operates  in  43  countries  around  the 
world),  the  company  relies  heavily  on  a 
detailed  termination  checklist  that  the  man¬ 
ager  of  every  departing  employee  must  com¬ 
plete  and  sign.  BT  regularly  audits  compliance 
with  the  process.  (BT’s  full  checklist  is  avail¬ 
able  at  www.csoonline.com/printlinks.) 

The  power  of  the  checklist,  Hodgson  says, 
is  that  it  makes  a  single  person  responsible  for 

40  www.csoonline.com  September  2003 


Loyalties 
die  hard 


Here  are  some  frightening— but  anony¬ 
mous— words  from  a  source  familiar  with 
security  breaches  at  a  number  of  Fortune  500 
companies. 

“The  employees  who  are  left  behind  are  as 
much  of  an  issue  as  the  employee  who  was 
terminated,”  he  says.  Former  coworkers,  out 
of  a  misplaced  sense  of  loyalty,  may  recon¬ 
nect  the  terminated  employee  with  the  net¬ 
work.  Sometimes  that  involves  allowing  him 
to  recover  “personal”  information  from  his 
workstation.  Or  a  former  coworker  might  pro¬ 
vide  a  terminated  individual  with  an  archive  of 
his  e-mail,  allowing  him  to  stay  in  touch  with 
former  customers.  In  other  cases,  individuals 
had  their  e-mail  accounts  re-enabled  or  were 
granted  renewed  VPN  access.  “It  does  hap¬ 
pen— it’s  not  fiction,”  he  says,  “and  it’s  sur¬ 
prisingly  difficult  to  identify  when  it  has 
happened,  and  who  did  it.”  -M.W. 


a  whole  series  of  security-related  termination 
“transactions.”  “It  goes  beyond  making  sure 
that  the  employee  hands  in  items  such  as  his 
identity  card  and  building  pass,  and  that  sys¬ 
tem  access  rights  are  rescinded,  but  also  cov¬ 
ers  physical  assets  such  as  office  keys,  vehicles, 
cell  phones  and  laptop  computers,”  he  says. 

The  lesson  is  clear.  Managers  may  groan  at 
the  prospect  of  yet  another  administrative 
process  being  foisted  on  them,  but  today’s 
procedures  for  separating  organizations  and 
employees  are  just  too  slipshod.  BT’s  detailed 
checklist  may  strike  some  as  overly  prescrip¬ 
tive— but  that’s  likely  to  be  before  they’ve 
suffered  a  significant  breach  by  a  former 
employee,  not  after.  ■ 

Malcolm  Wheatley  is  a  freelance  writer  based  in  England. 
Send  feedback  to  Executive  Editor  Derek  Slater  via  e-mail  at 
dslater@cxo.com. 


Tell  Us  Your  Termination  Tales 


Have  any  stories  of  terminations  gone  all  wrong?  Go  online 
and  share  your  stories  and  advice  with  fellow  CSO  readers. 
Type  the  DocID  number  (above)  into  the  search  box  at 
www.csoonline.com  and  add  a  comment  to  this  story. 


.  -  -  .  ...  ,  ,  {  /  _  r;  . 

^Trends  in  Proprietary  Information  Loss  Survey  (ASIS  2002).  ©2003  Sharp  Electronics  Corporation 


How  secure  is 


Protect  your  information  with  the  Data  Security 
Kit  from  Sharp.  Financial  facts,  personnel  records, 
customer  lists:  networked  copiers/printers  process 
sensitive  information  every  day.  Unfortunately,  their 
hard  drives  can  also  be  accessed  via  the  network, 
contributing  to  $60  billion  worth  of  information 
theft  every  year.*  To  protect  this  weak  link  in  your 


L-, '  Common  Criteria 

® 


your  digital  information? 


corporate  security,  we've  created  our  Data  Security 
Kit.  It's  the  first  copier  and  printer  protection  to 
be  validated  by  Common  Criteria,  a  government- 
sponsored  program,  and  it's  available  only  with 
our  Digital  IMAGER™  series  of  copiers/printers. 
Sharp's  Data  Security  Kit.  Enhanced  information 
protection  at  your  fingertips,  sharpusa.com/security 


The  Evolution  of  a 


Bruce  Schneier  literally  wrote  the  book  on  cryptography.  Then  he 
started  a  successful  IT  security  business.  Now,  Schneier  is  evolving 
again,  past  the  purely  technological  realm  into  a  holistic  view  of 
security,  both  physical  and  technical. 


or  a  while,  it  seemed  as  if  Bruce  Schneier  himself  was  encrypted.  No  one  could 
decipher  his  whereabouts  for  an  interview  with  CSO.  This  was  unusual  because 
Schneier,  founder  and  CTO  of  Counterpane  Internet  Security,  is  usually  aggressively 
available  to  the  press.  Plus,  he  has  a  new  book  to  promote— Beyond  Fear:  Thinking 
Sensibly  About  Security  in  an  Uncertain  World— a  decidedly  iconoclastic  and  non-IT  view 
of  security.  But  the  book  also  challenges  physical  security  practitioners  to  learn  a  thing 
or  two  from  the  infosecurity  ranks:  to  think  in  terms  of  systems. 

Beyond  Fear  represents  Schneier’s  most  ambitious  departure  yet  from  infosecurity, 
an  arc  he’s  been  traversing  for  some  time  now.  When  Senior  Editor  Scott  Berinato  finally 
found  him,  at  a  folk  festival  in  Winnipeg,  Canada,  he  was  eager  to  talk  about  his  evolu¬ 
tion  from  mathematician  to  security  generalist,  and  about  the  cultural  disconnect 
between  physical  and  information  security  and  what  he  means  by  "brittle  security.” 


IN  THIS  STORY:  Why 

consensus  is  bad  and  conflict 
is  good  How  to  engage  in 
constructive  debate  The 
key  to  managing  up 


CSO:  You’ve  certainly  evolved 
from  your  cryptography  days. 
Bruce  Schneier:  Security  is 
a  system,  and  the  more  I 
worked  with  security  the  more 
I  realized  that  a  systems  per¬ 
spective  is  the  most  appropri¬ 
ate  one.  When  my  primary 
work  was  in  cryptography,  I 
would  design  mathematically 
secure  systems  that  would  be 
defeated  by  clever  attacks 
against  the  computers  they 
ran  on.  Then,  when  I  started 
doing  more  work  in  computer 
security,  I  would  see  well- 
designed  security  software 
and  hardware  being  defeated 


by  insecure  networks.  And 
then  secure  networks  being 
defeated  by  human  error.  And 
so  on.  Security  is  a  chain,  and 
it’s  only  as  secure  as  the  weak¬ 
est  link.  Improving  the  cryp¬ 
tography  is  often  a  futile 
exercise  of  strengthening  the 
strongest  link.  Looking  for  the 
weakest  link  inevitably  leads 
one  to  an  ever-expanding  sys¬ 
tems  perspective. 

Similarly,  noncomputer 
security  can  best  be  under¬ 
stood  and  evaluated  using  the 
same  techniques  we’ve  devel¬ 
oped  for  computer  systems. 
The  whole  impetus  driving 


Beyond  Fear  was  my  realiza¬ 
tion  that  conventional  security 
was  mostly  a  hodgepodge  of 
tricks  and  techniques,  and  that 
there  was  little  systems  think¬ 
ing.  And,  as  a  computer-secu¬ 
rity  expert,  I  could  bring  some 
of  that  kind  of  thinking  into 
the  debate. 

You’ll  ruffle  some  feathers  with 
that.  The  cultural  merger  of 
physical  and  IT  security  will  be 
hard.  Some  will  take  exception 
to  your  idea  that  they’re  not 
thinking  in  terms  of  systems. 
There’s  a  huge  cultural  dis¬ 
connect  between  the  physical 


42  www.csoonline.com  September  2003 


PHOTOGRAPHY  BY  STEVE  NIEDORF 


Interview 


I  CERTAINLY  DON’T  ADVOCATE  WANTONLY 
APPLYING  TECHNOLOGY.  MOST  OF  THE  TIME 
THE  SECURITY  PROBLEMS  ARE  INHERENTLY 

PEOPLE  PROBLEMS.  -BRUCE  SCHNEIER 


security  guys  and  the  computer  security 
guys  precisely  because  the  former  don’t 
think  in  terms  of  systems.  I  see  it  all  the 
time  when  I  look  at  security  systems.  The 
physical  guys  spend  a  lot  of  time  worrying 
about  national  ID  cards,  while  I  wonder 
what  identification  has  to  do  with  the 
threats  they  are  supposed  to  be  countering. 
The  physical  guys  make  sure  identification 
is  checked  twice  at  airports,  but  I  notice  that 
the  people  doing  the  ID  verification  can’t 
tell  the  real  documents  from  forgeries. 

The  physical  guys  think  that  confiscating  a 
penknife  from  a  grandmother  is  a  success, 
but  I  see  a  system  that  failed.  Our  security 
is  so  riddled  with  holes  because  the  physical 
guys  don’t  think  in  terms  of  systems. 

Your  evolution  can  be  seen  as  a  microcosm 
of  what  we've  seen— that  info  and  physical 
security  are  two  tactics  shared  by  the  security 
discipline.  Do  you  meet  resistance  from 
physical  security  guys  when  you  speak  more 
broadly  about  security,  and  conversely  what 
do  IT  security  folks,  cryptographers  and  the 
like  think  about  your  broadening  view? 

The  traditional  physical  security  profession 
is  centuries  old  and  very  resistant  to  change. 
I  find  that  most  practitioners  aren’t  able  to 
think  about  their  traditional  problems  in 
new  ways.  We  saw  this  clearly  in  January 
2003,  when  Matt  Blaze  published  a  paper 
on  how  to  break  a  physical  door-locking  sys¬ 
tem.  Professional  locksmiths  were  outraged; 
“secret  knowledge”  should  never  be  in  the 
hands  of  the  masses.  But  from  my  perspec¬ 
tive,  secret  knowledge  is  always  in  the  hands 
of  the  bad  guys,  and  unless  the  good  guys 
possess  the  same  knowledge,  the  problem 
will  never  get  fixed. 

IT  professionals,  on  the  other  hand, 
are  much  more  eager  to  learn  how  their 
methodologies  and  ways  of  thinking  might 
apply  to  real-world  security.  I  have  long 
used  physical  metaphors  to  explain  com¬ 
puter  security  techniques;  it’s  no  surprise 
that  computer  security  methodologies  can 
apply  to  physical  security  problems. 

A  physical  security  guy  would  argue  that  com¬ 
puter  security  folks  are  always  trying  to  solve 
problems  with  technology  even  when  it’s  not 
appropriate.  Should  we  acknowledge  some 


fallibility  in  leading  with  the  IT  security  foot  in 
some  cases  versus  the  physical  security  foot? 

Computer  security  folks  are  always  trying  to 
solve  problems  with  technology,  which 
explains  why  so  many  computer  solutions 
fail  so  miserably.  I  advocate  thinking  about 
security  in  terms  of  systems;  I  certainly 
don’t  advocate  wantonly  applying  technol¬ 
ogy.  Most  of  the  time,  the  security  problems 
are  inherently  people  problems,  and  tech¬ 
nologies  don’t  help  much.  Photo  ID  checks 
are  a  great  example:  Technologists  want  to 
add  this  and  that  technology  to  make  IDs 
harder  to  forge,  but  I  worry  about  people 
bribing  issuing  officials  and  getting  real  IDs 
with  fake  names.  (At  least  two  of  the  9/H 
terrorists  did  that.)  Making  IDs  harder  to 
forge  doesn’t  solve  the  people  problem. 

The  iconoclasm  in  your  book  starts  with  its 
subtitle,  Thinking  Sensibly  About  Security  in 
an  Uncertain  World.  The  implicit  jab  here  is 
that  there’s  plenty  of  nonsensical  thinking  that 
needs  correcting.  What  are  some  of  the  most 
extreme  cases  you’ve  seen  or  heard? 

Stupid  security  stories  are  a  dime  a  dozen. 
There’s  a  website  that  chronicles  them 
{www.stupidsecurity.com)— and  an  annual 
award  for  the  most  egregious  offenders 
(see  “Award-Winning  Stupidity,”  Briefing, 
August  2003).  My  greatest  fear  surrounding 
all  these  stupid  security  measures  is  that 
people  actually  believe  they  do  some  good. 

Many  people  believe  that  increasing 
demands  for  identification  increases  secu¬ 
rity.  Many  believe  that  confiscating  pocket- 
knives  from  airplane  travelers  decreases  the 
risk  of  hijacking.  Security  is  both  a  feeling 
and  a  reality,  and  the  more  the  two  diverge, 
the  more  trouble  we’re  all  in. 

What  has  two  years  of  cyberterrorism  hype 
yielded? 


There  is  definitely  a  lot  of  nonsense  being 
written  about  cyberterrorism  these  days.  You 
can  cry  wolf  only  so  many  times  before  peo¬ 
ple  start  ignoring  you;  after  two  years,  people 
have  become  numb  to  the  real  threats.  Even 
as  the  risks  of  cyberterrorism  are  overstated 
and  overhyped,  the  risks  of  cybercrime  are 
downplayed  and  minimized.  My  company 
performs  managed  security  monitoring  for 
hundreds  of  companies  worldwide,  and  we 
see  common  crime  every  day.  But  it’s  the  ter¬ 
rorism  risks  that  grab  the  headlines,  and 
then  nothing  happens.  There’s  an  issue  of 
deflected  responsibility  going  on  here.  If  the 
problem  is  cyberterrorism,  then  the  govern¬ 
ment  has  to  do  something  about  it.  If  the 
problem  is  cybercrime,  the  network  owners 
have  to  fix  the  problem.  If  you  run  a  major 
network,  it’s  certainly  attractive  to  shift  the 
responsibility  elsewhere. 

Recently,  a  George  Mason  University  gradu¬ 
ate  student  presented  his  thesis  to  a  group 
of  CIOs.  The  student  had  mapped  the  entire 
telecommunications  infrastructure  of  the 
United  States,  using  largely  publicly  available 
information.  The  CIOs  demanded  he  cede  his 
laptop  to  authorities  and  leave  the  conference 
because  his  thesis  was  a  terrorism  risk. 

That  didn’t  surprise  me;  it’s  an  example  of 
a  common  confusion  between  secrecy  and 
security.  Actually  securing  our  telecommuni¬ 
cations  infrastructure  would  be  a  resilient 
security  countermeasure.  Not  bothering  to 
secure  our  telecommunications  infrastruc¬ 
ture  and  then  trying  to  keep  the  vulnerabili¬ 
ties  secret  is  brittle.  Once  the  secret  is  out, 
security  is  lost,  and  you  can’t  get  it  back.  You 
have  to  assume  that  bad  guys  can  collate  the 
same  information  that  the  student  did; 
thinking  otherwise  is  sloppy  security. 

Why  does  this  mind-set  persist— that,  if  we 


44  www.csoonline.com  September  2003 


keep  secrets  or  outlaw  certain  information, 
somehow  bad  guys  will  give  up? 

There  is  a  widespread  belief  that  secrecy 
equals  security.  It’s  a  common  misconcep¬ 
tion,  and  one  very  similar  to  the  traditional 
shoot-the-messenger  way  of  dealing  with 
someone  who  brings  bad  news.  I  think  it’s 
an  easy  mental  trap  to  fall  into  and  that 
many  people  do.  Secrecy  does  work  to  a 
point,  but  it’s  a  very  brittle  security. 

What  do  you  mean  by  “brittle?” 

I  use  the  term  to  describe  how  many  secu¬ 
rity  systems  fail.  Brittle  systems  are  systems 
that  fail  easily,  completely  and  catastrophi¬ 
cally.  A  house  of  cards  is  a  brittle  system; 
remove  one  card  and  the  whole  structure 
collapses.  Most  computer  systems  are  brit¬ 
tle:  When  security  fails,  it  fails  completely. 
Resilient  systems  remain  secure  even  in  the 
face  of  failure.  Different  security  systems 
back  each  other  up.  Major  failures  don’t 
turn  into  major  failures.  Chapter  9  of 
Beyond  Fear  talks  about  brittleness  and 
resilience,  and  I  identify  several  ways  of 
achieving  resilience:  defense  in  depth,  com- 
partmentalization,  flexibility  and  so  on. 
They’re  all  characteristics  of  natural  security 
systems  but  are  often  lacking  in  computer 
security  systems. 

How  is  Congress  doing  on  security? 

I’ve  testified  before  Congress  on  several  occa¬ 
sions,  so  they’re  getting  at  least  some  of  the 
right  speakers. 

The  process  of  security  is  orthogonal  to 
the  process  of  our  democratic  government. 
In  the  United  States,  lawmaking  is  a  process 


of  consensus.  The  reason  you  get  so  much 
FUD,  self-serving  aggrandizing,  and  parti¬ 
san  posturing  is  because  that’s  the  way  the 
process  works.  Everyone  provides  his  own 
input— often  in  the  form  of  money— and 
some  kind  of  consensus  is  reached.  Security 
doesn’t  work  that  way.  In  fact,  the  worst 
security  systems  are  those  developed  by  con¬ 
sensus.  Real  security  means  making  hard 
choices  that  hurt  certain  companies  and 
industries.  Real  security  means  doing  what’s 
right,  not  what’s  politically  safe.  The  recent 
National  Strategy  to  Secure  Cyberspace  is  a 
case  in  point.  Because  the  document  offends 
no  one,  it  accomplishes  nothing. 

While  I  believe  that  certain  individual 
members  of  Congress  have  a  good  under¬ 
standing  of  the  problems  and  technologies 
of  computer  security,  I  still  think  they 
believe  that  if  all  the  affected  parties  go 
into  a  room,  they  can  negotiate  a  solution. 
The  last  time  I  testified,  I  told  them  that  it 
wouldn’t  work  and  why.  They  all  nodded 
politely,  but  I  don’t  know  if  it  stuck. 

Why  do  people  have  such  a  difficult  time 
thinking  in  terms  of  risk  rather  than  binarily? 

I  think  the  real  question  is  Why  are  people  so 
lousy  at  estimating,  evaluating  and  accepting 
risk?  That’s  a  complicated  question,  and  I 
spend  most  of  Chapter  2  of  Beyond  Fear 
trying  to  answer  it.  Evaluating  risk  is  one  of 
the  most  basic  functions  of  a  brain  and  some¬ 
thing  hard-wired  into  every  species  possess¬ 
ing  one.  Our  own  notions  of  risk  are  based  on 
experience,  but  also  on  emotion  and  intuition. 
The  problem  is  that  the  risk  analysis  ability 
that  has  served  our  species  so  well  over  the 
millennia  is  being  overtaxed  by  modern  soci¬ 
ety.  Modern  science  and  technology  create 
things  that  cannot  be  explained  to  the  average 
person;  hence,  the  average  person  cannot 
evaluate  the  risks  associated  with  them.  Mod¬ 
ern  mass  communication  perturbs  the  natu¬ 
ral  experiential  process,  magnifying 
spectacular  but  rare  risks  and  minimizing 
common  but  uninteresting  risks.  This  kind  of 
thing  isn’t  new— government  agencies  like  the 
FDA  were  established  precisely  because  the 
average  person  cannot  intelligently  evaluate 
the  risks  of  food  additives  and  drugs— but  it 
does  have  profound  effects  on  people’s  secu¬ 
rity  decisions.  They  make  bad  ones. 


Do  the  privacy  implications  of  some  of  the 
new  security  measures  resulting  from  9/11— 
widespread  surveillance,  Terrorism  Informa¬ 
tion  Awareness  (TIA)— concern  you? 

Definitely.  Terrorism  is  rare,  while  crime 
is  common.  Security  systems  that  require 
massive  databases  in  order  to  function— 
TIA,  CAPPS  2— will  make  crime  easier. 
They’ll  make  identity  theft  easier.  They’ll 
make  illegal  government  surveillance  easier. 
They’ll  make  it  more  likely  that  rogue 
employees  of  the  governments  and  corpora¬ 
tions  that  maintain  the  systems  will  use  the 
data  for  their  own  purposes.  In  the  United 
States,  there  isn’t  a  government  database 
that  hasn’t  been  misused  by  the  very  people 
entrusted  with  keeping  its  information  safe. 
IRS  employees  have  perused  the  tax  records 
of  celebrities  and  friends.  State  employees 
have  sold  driving  records  to  private  investi¬ 
gators.  This  kind  of  thing  happens  all  the 
time. 

If  these  systems  would  actually  help 
reduce  the  risk  of  terrorism,  I  might  be 
willing  to  make  trade-offs.  But  they  don’t 
work.  Even  worse,  they  cause  more  security 
problems  than  they  purport  to  solve. 

What  is  going  unreported,  or  underreported, 
in  the  realm  of  security? 

The  most  surprising  thing  about  security  is 
how  little  it  has  to  do  with  security.  All  secu¬ 
rity  involves  trade-offs,  and  the  nonsecurity 
aspects  of  those  trade-offs  are  generally  far 
more  important  than  the  security  considera¬ 
tions.  For  example,  a  bank  would  never 
implement  a  security  system  that  would 
alienate  all  of  its  customers— no  matter  how 
secure  it  would  make  the  bank.  Airport 
security  will  confiscate  the  smallest  knives 
but  will  allow  matches  and  lighters— com¬ 
bustible  materials— through  because  the 
tobacco  lobby  pressured  the  government. 
Businesses  regularly  have  insecure  networks 
because  they  find  it  easier  to  get  things  done 
that  way.  ■ 


More  Opinions 

BRUCE  SCHNEIER  has  more  opinions  than  CSO  has 
space  to  print  them.  To  read  his  thoughts  on  cyberterror¬ 
ism,  national  ID  cards  and  secrecy,  go  to  the  URL  below. 


www.csoonline.com/printlinks 


September  2003  www.csoonline.com  45 


m 


br«. 


Stress  is  a  torture  chamber  that  can't  always  be  avoided. 


you  know?  Read  on  to  see  what  you  can  do  about  it. 


BY  CHRISTOPHER  KOCH 


sas 


wt 


M3 


SSSS 


&&S5 


gafji 


THE  PAST  20  YEARS  OR  SO 


SCIENCE 


you  sick.  The 
as 


rzcme  in  1998  went  so  far 


&g»3KS 


logical  responses  to  stress  is  critical  to  survival.”  Stress  may  con- 

•vi'*4,  }  ' .  '  '/>  -  _y  '.t  ■  j  ■ 

tribute  to  85 


-  pv?lu 

_ 


....  .......  ..  ,  vnP 

’  J  J 


counsels  executives  on  stress  reduction.  Fifty- two  percent  of  exec- 


utives  will  die  of  diseases  related  to  stress, 


KZras 


5  stress 


affects  nearly  every  major  system  in  our  bod¬ 
ies,  creating  a  laundry  list  of  health  problems- 


m 


vV.  .  awTV&p^Ksifj!-'  t 

' .  rJ%Hb  •.  y  .  .  .»  4B& ■  w  fai  . 


September  2003  www. c300nime.com 

msgui  ->/JH  ?.•  ,.*> 


47 


n 


'4c, Ji 


« 


!«Ejras*g4  - 


IStf 


StfM&vf- 


Personal  Management 


There’s  nothing  nomial  about 
lighting  up  ourbrains  with 
chemicals  and  shutting 
down  half  the  systems  m  our 
3odies  while  flooding  the 
Dloodstream  with  sugar. 


among  them  diabetes,  high  blood  pressure, 
stroke,  allergies,  asthma  and  colitis. 

The  clearest  sign  that  there’s  a  stress  epi¬ 
demic  can  be  seen  in  heart  disease  statistics. 
For  example,  a  recent  study  found  that  people 
who  get  less  than  five  hours  of  sleep  twice  a 
week  or  more  are  300  percent  more  suscepti¬ 
ble  to  heart  attacks.  Their  overall  rate  of  devel¬ 
oping  heart  disease  doubles. 

Not  surprising,  stress  has  been  on  the  rise 
in  the  past  few  years.  With  the  economy  gone 
bad,  unemployment  rising  and  the  increased 
threat  of  terrorism,  most  Americans  report 
feeling  more  stress  today.  It’s  even  worse  for 
executives. 

Constant  stress  does  more  than  damage 
your  health.  It  destroys  your  judgment  and 
distorts  your  decision-making  process.  Con¬ 
stant  stress  has  been  shown  to  shrink  the  hip¬ 
pocampus,  a  region  of  the  brain  that  controls 
memory  and  concentration.  “We  all  know 
anecdotally  that  when  someone  is  under  stress 
they  don’t  have  the  clearest  vision,”  says  Tyne. 
“They  don’t  have  the  patience  to  work  through 
a  complicated  decision.  They  will  have  a  ten¬ 
dency  to  abdicate  or  jump  into  a  decision 
prematurely.” 

Business  executives  don’t  like  to  talk  about 
how  stress  affects  them.  They  are  taught  that 
stress  is  to  be  accepted,  swallowed  whole  and 
its  effects  ignored.  Admitting  to,  or  worse, 
displaying  stress  is  a  sign  of 
weakness,  an  admission  of 
failure.  Unfortunately,  this 
belief  is  widely  shared,  at  least 
at  work. 

‘"You  have  to  carry  off  the 
position  with  dignity  and  a 
show  of  strength  in  public,” 
says  Jim  Quick,  professor  of 
organizational  behavior  at  the 
University  of  Texas  at  Arling¬ 
ton.  “You  have  to  reflect  the 
strength  and  power  of  the 
organization  even  if  as  an 
individual  you’re  feeling 
somewhat  vulnerable.” 

This  means  that  business- 
people  need  to  deal  with 
stress  on  their  own— a  lonely 
and  difficult  struggle  that 
few  choose  to  face.  Denial  is 
easier.  But  denial  inevitably 


extracts  its  own  toll  in  health,  relationships 
with  family  and  friends,  careers,  and  even 
lives. 

The  Science  of  Stress 

The  reason  that  stress,  and  our  response  to  it, 
has  so  much  power  over  us  has  to  do  with 
evolution,  which  as  far  as  stress  reaction  goes, 
stopped  30,000  years  ago  when  modern  man 
replaced  the  Neanderthal.  Our  earliest  human 
ancestor,  Cro-Magnon  man,  needed  to  control 
his  environment  in  specific  ways  to  avoid 
starving  or  being  eaten  by  predators.  To  sur¬ 
vive,  he  needed  help  holding  off  saber-toothed 
tigers  or  bringing  down  a  woolly  mammoth 
for  dinner— so  evolution  favored  those  who 


felt  uncomfortable  alone  and  sought  out  the 
company  of  others.  Knowing  the  guy  in  the 
next  cave  increased  one’s  survival  chances,  as 
did  the  drive  to  control  one’s  environment  by, 
say,  developing  a  mental  map  of  the  hunting 
grounds  nearby,  or  by  stacking  a  pile  of  clubs 
and  rocks  near  the  cave’s  entrance  for  protec¬ 
tion.  Cro-Magnon  man  learned  to  hate  uncer¬ 
tainty  because  in  his  world,  surprises  were 
usually  lethal. 

Today,  we  hate  uncertainty  every  bit  as 
much  as  our  ancestors  did.  Read  the  head¬ 
lines  about  Sept.  11,  the  postwar  chaos  in  Iraq, 
kidnapped  children  or  even  that  memo  from 
the  CEO  cutting  the  security  budget  (again), 
and  you’ll  experience  the  same  reactions  that 
our  caveman  had  when  he  noticed  that  the 
tigers  had  moved  from  their 
usual  lair:  sweaty  palms,  an 
elevated  heart  rate.  No 
doubt  the  caveman’s  wor¬ 
ries  and  stress  were  nearly 
constant,  but  he  rarely  lived 
long  enough  to  develop 
stress-related  pathologies 
such  as  heart  disease. 

We  do.  And  science  is 
now  linking  the  daily  anxi¬ 
eties  and  worries  that  cave¬ 
men  felt  to  a  much  more 
powerful,  primitive  reaction 
to  stress— the  “fight-or- 
flight  response,”  as  re¬ 
searcher  Walter  Cannon 
dubbed  it  in  the  early  1900s. 
This  is  the  biological  pro¬ 
cess  designed  to  help  a  cave¬ 
man  out  of  serious  jams 
such  as  a  saber-tooth  sud- 


12  Warning  Signs  That  You’re  Stressed  Out 


1.  Your  stor 


catch  colds 


emotionally 


2.  You  fee 

■/ .  ■ 

3.  You  snap  at  people:  colleagt 

4.  People  tell  you  they’re  worried ; 

5.  You  feel  that  if  you 

6.  You  feel 


going  to  blow 


quitting 


7.  You  feel  helpless,  out  of  control. 

8.  You  know  that  whatever  you  do,  t 

9.  And  you  know  that  when  they  do,  yi 

10.  You  feel  guilty  about  takir 

11.  You  know  the  problem:  It’s  everyaot 

12.  Yo 


vacation 


ut  youi 


SOURCE:  SCOTT  STACY.  CONICAL  PROGRAM  DIRECTOR  PROFESSIONAL  RENE 


HHH 


48  www.csoonllne.com  September  2003 


denly  showing  up  at  the  door  of  the  cave.  The 
process  is  extremely  effective  for  its  intended 
purpose:  fighting  the  tiger  or  running  away. 

First,  the  sight  of  the  tiger  signals  the 
brain’s  speed  regulator,  the  locus  coeruleus, 
to  shock  the  rest  of  the  brain  into  a  state  of 
hyperactivity  and  alertness.  The  brain  then 
causes  a  chemical  called  norepinephrine  to 
be  released  into  the  autonomic,  or  involuntary, 
nervous  system— turning  up  the  dial  on  blood 
pressure  and  respiration.  Simultaneously,  cor¬ 
tisol,  known  as  the  stress  hormone,  shoots 
through  the  bloodstream  to  vital  systems, 
turning  off  those  that  don’t  play  an  immediate 
role  in  survival  (such  as  digestion  and  the 
immune  system)  while  supercharging  others 
(such  as  the  liver)  to  provide  extra  sugar  to  fuel 
the  brain  and  muscles.  Meanwhile,  adrenaline 
turns  up  the  heart  rate  and  blood  flow.  It’s 
like  gunning  the  accelerator  at  a  stoplight. 
The  body  is  revving  itself  up  for  what,  in  the 
caveman  days,  was  very  likely  to  follow:  a  life- 
or-death  struggle  or  a  frantic  escape. 

The  Wages  of  Stress 

We’ve  come  to  accept  stress  as  a  normal  part  of 
our  lives,  but  there’s  nothing  normal  about 
lighting  up  our  brains  with  chemicals  and 
shutting  down  half  the  systems  in  our  bodies 
while  flooding  the  bloodstream  with  sugar. 
Today,  our  bodies  don’t  get  much  of  a  break 
from  the  stress  response,  which  was  designed 
to  be  an  occasional  event,  not  a  constant  con¬ 
dition  of  existence.  “We’ve  all  come  to  believe 
that  occasional  headaches  or  muscle  tension 
from  stress  is  normal,  but  it  isn’t  normal,” 
says  Tyne.  “A  normal  body  doesn’t  have 
headaches.” 

Stress  sends  a  constant  flow  of  sugar  into 
the  bloodstream  to  feed  fleeing  muscles,  but 
with  our  less  active  modern  lives,  the  sugar 
doesn’t  get  burned  up.  “Having  high  levels  of 
sugar  in  the  blood  is  like  having  rust  in  your 
gas  tank,”  says  Tyne.  “It  flows  into  every  part 
of  the  engine.”  The  body  responds  by  releasing 
insulin  to  regulate  the  sugar,  but  over  time 
the  insulin  reaction  degrades  and  the  excess 
sugar  can  cause  diabetes  and  kidney  and  cir¬ 
culation  problems. 

The  long-term  effects  of  cortisol  aren’t 
much  better.  Our  metabolism  slows  and  fat 
cells,  particularly  those  around  the  gut,  open 


up  to  receive  more  fat— the  body’s  most  stor¬ 
able  source  of  energy.  In  other  words,  stress 
makes  us  fat.  (See  “Our  Apple-Shaped  Lead¬ 
ers,”  Page  50.)  Since  cavemen  used  all  that 
extra  sugar  by  fighting  or  fleeing,  the  brain 
evolved  to  react  to  elevated  cortisol  levels  by 
craving  more  food,  according  to  leading  stress 
expert  Pamela  Peeke.  And  not  just  a  carrot 
and  a  rice  cracker.  Stress  wants  a  burger  with 
fries— lots  of  fats  and  carbohydrates— so  that 
you’ll  have  the  energy  stored  to  run  next  time. 
A  trip  to  Mickey  D’s  a  survival  response? 
Absolutely.  Your  body,  after  all,  doesn’t  know 


the  difference  between  a  tiger  on  the  prowl 
and  a  CFO’s  e-mail.  Fight  or  flight  has  become 
“stew  and  chew,”  as  Peeke  calls  it. 

Indeed,  researchers  found  that  Americans 
surveyed  after  Sept.  11  said  their  initial  reaction 
was  to  avoid  food  (stress  hormones  initially 
suppress  appetite  so  that  our  caveman  would¬ 
n’t  get  distracted  while  running  from  the  tiger) 
followed  by  a  tendency  to  overeat  (the  cortisol 
effect). 

Not  that  stress  makes  it  any  easier  to  digest 
the  food  you  crave.  Since  eating  doesn’t  have 
much  to  do  with  getting  away  from  the  tiger, 


cnemis 


locus  coaruieus 
shocks  brain  into  ■ 
hyperactivity. 

Stress  hormones 
flood  the  system. 


LUNGS 
Norepinephrine 
speeds  up 
respiration. 


HEART 

Adrenaline  turns 
up  heart  rate, 
increases  blood 
pressure. 


LIVER 
Provides  extra 
sugar  to  fuel 
brain  and 
muscles. 


rat  ceils  open 
up  to  receive 
HU  fat-storable 
energy. 


FEET  1 

Now  you're  \ 
ready  to  flee 
or  fight. 


September  2003  www.csoonline.com  49 


Personal  Management 


stress  steers  blood  away  from  the  digestive 
tract,  leading  to  indigestion,  ulcers  and  more. 
Similarly,  survival  is  more  important  than 
attacking  a  cold  bug,  so  resources  are  shifted 
away  from  the  immune  system,  increasing  the 
susceptibility  to  everything  from  the  trivial 
(colds  and  allergies)  to  the  tragic— cancer,  mul¬ 
tiple  sclerosis  and  lupus,  to  name  a  few. 

But  the  most  dramatic  impact  of  stress  is  on 
the  circulatory  system.  Stress  runs  the  heart 
harder  than  a  16-year-old  drives  a  car.  The 
combination  of  stress  hormones  such  as  corti¬ 
sol  and  adrenaline  keeps  the  heart  running  at 
a  high  idle.  “Emergency  room  doctors  use  a 
shot  of  adrenaline  to  get  a  heart  attack  patient 
going  again,”  says  Tyne.  “Imagine  what  that 
does  to  your  heart  when  it’s  flowing  con¬ 
stantly.”  But  unlike  a  car,  your  heart  doesn’t 
begin  to  leak  oil  or  emit  the  telltale  odor  of 
burning  bushings  as  it  runs  down.  It  just  stops. 

For  50  percent  of  the  people  who  get 
cardiovascular  disease,  death  is  the  first 
symptom,  according  to  the  American  Heart 
Association. 

Stress  and  Its  Antidotes 

Though  the  evidence  is  still  being  assembled, 
many  scientists  now  believe  that  learning  how 
to  short-circuit  the  fight-or-flight  response 
may  be  as  important  to  our  health  as  exercise 


and  diet.  For  example,  a  recent  Duke  Univer¬ 
sity  study  of  about  100  heart  disease  patients 
divided  them  into  three  groups.  The  control 
group  just  had  regular  medical  checkups, 
another  had  supervised  aerobic  exercise 
classes  three  times  a  week  for  four  months, 
and  the  third  group  received  stress  reduction 
education  once  a  week  for  90  minutes  during 
the  same  period.  After  five  years,  the  first 
group  had  experienced  12  heart  attacks,  the 
second  had  seven,  and  the  third  had  three. 
Results  such  as  those  are  slowly  convincing 
doctors  to  take  a  hard  look  at  the  mental  state 
of  their  patients. 

The  best  antidote  to  stress  is  exercise.  And 
viewed  in  the  context  of  the  chemistry  of  the 
fight-or-flight  response,  that  makes  sense. 
Exercise  is  simulated  flight— a  chance  for  all 
the  sugars  and  hormones  in  the  bloodstream 
to  be  used  for  their  intended  purpose.  Exercise 
also  feeds  our  brains  some  feel-good  drugs 
such  as  dopamine  and  beta-endorphin— evo¬ 
lution’s  reward  for  safely  escaping  the  tiger. 

Avoiding  the  stress  response  itself— feeling 
less  stress  in  the  first  place— is  a  lot  harder.  To 
understand  howto  control  stress,  you  have  to 
think  yourself  back  to  the  caves.  Three  major 
psychological  factors  made  cavemen’s  stress 
hormones  flow:  lack  of  control,  fear  and  iso¬ 
lation.  All  three  have  modern  correlatives. 

The  CSO  role  is  tailor-made  for  feeling  out 


of  control.  Something  can  go  seriously  wrong 
at  any  moment,  CEOs  can  change  their  minds 
and  stop  funding  your  work,  businesspeople 
can  resist  your  risk  assessments  for  no  good 
reason.  CSOs  have  a  vast  amount  of  responsi¬ 
bility  but  little  authority  for  controlling  out¬ 
comes.  This  is  what  psychologists  call  low 
decision  latitude. 

“This  creates  a  sense  of  chronic  powerless¬ 
ness,”  says  Scott  Stacy,  clinical  program  direc¬ 
tor  for  the  Professional  Renewal  Center,  which 
counsels  executives  on  stress.  “You  can’t  have 
an  effect  on  what  you  need  to  have  an  effect  on 
to  generate  a  sense  of  [internal]  calm.”  This 
leads  directly  to  health  problems.  According  to 
a  1997  study  of  about  3,000  Canadian  public- 
service  executives,  those  with  low  decision  lat¬ 
itude  saw  their  risk  of  illness  increase 
anywhere  from  30  percent  to  1,700  percent. 

To  see  the  theory  in  action,  just  ask  a  top 
CSO  if  he  would  like  to  report  to,  say,  the  head 
of  audit  instead  of  to  the  CEO.  Put  in  stress 
terms,  reporting  to  the  head  of  audit  reduces 
a  CSO’s  control  over  the  environment  because 
it  puts  someone  between  him  and  the  ulti¬ 
mate  influencer  over  the  company.  CSOs  also 
feel  increasingly  out  of  control  as  their  work¬ 
load  grows  and  affects  more  people.  That’s 
more  people  the  CSO  can’t  control.  Users 
don’t  have  to  do  anything  the  CSO  asks. 

The  control-related  stress  conditions  CSOs 
face  are  shared  by  another  C-level  player:  the 
CIO.  Joe  Gagliardi  is  the  CIO  at  Unisa,  a  dis¬ 
tributor  of  women’s  shoes  and  accessories. 
When  a  custom  manufacturing  resource  plan¬ 
ning  project  he  was  overseeing  at  Unisa  had  its 
funding  withdrawn  earlier  this  year,  Gagliardi 
not  only  lost  control  over  his  project  but  also 
over  the  expectations  of  users.  “I  had  a  bunch 
of  half-developed  applications  and  a  bunch 
of  half-trained  developers,  and  I  tried  to 
deliver  what  I  could,  but  it  wasn’t  working 
out,”  he  says.  Disappointed  departments 
began  criticizing.  So  Gagliardi  changed  every¬ 
one’s  expectations,  including  his  own.  “I  said 
we’re  going  to  stop  the  project  and  go  into 
maintenance  mode  on  the  legacy  applications 
until  times  improve,”  he  says.  “Now  when  my 
developers  manage  to  deliver  something  new, 
it’s  a  pleasant  surprise  for  everybody,  and 
they’re  happy  to  get  it.” 

Gagliardi  says  that  since  engineering  this 
attitude  adjustment,  his  stress  level  has  gone 


Our  Apple-Shaped  Leaders 


■ 


aroun 


Some  men  become  apple-shaped  because  the  brain  evolved 
elevated  cortisol  levels  in  the  blood  by  craving  food.  And 
and  rice  crackers.  Stress  wants  a  burger  with  frie: 


Bill  Clinton  LouGerstner  Ted  Kennedy  Dennis  Kozlows 

]  ' '‘nd  President  Former  CEO  of  IBM  Senator  (D-Mass.)  Ex-TycoCEO 


Bill  Parcsils  Ariel  Sharon  Harvey  Weinstein  Boris  Y 

Dallas  Cowboys  Coach  Israeli  Prime  Minister  Miramax  Cochairman  Former  R; 


50  www.csoonline.com  September  2003 


way  down.  Psychologically,  he  achieved  the 
control  over  his  environment  that  he  needed 
to  turn  off  his  primal  sense  of  anxiety— and  his 
physiological  fight-or-flight  response. 

Stress  in  Isolation 

It’s  much  harder  for  CSOs  to  escape  the  iso¬ 
lation  that  cavemen  learned  to  dislike  so 
much.  CSOs  who  show  the  signs  of  stress  send 
it  rippling  through  their  staffs  like  a  rock 
thrown  into  a  pond.  Worse,  those  who  confide 
in  their  employees  about  the  stress  they  feel 
risk  having  it  used  against  them.  “You  need  for 
your  staff  to  know  that  you’re  human;  you 
don’t  need  your  staff  to  know  that  you’re 
weak,”  says  the  University  of  Texas’s  Quick. 

Joining  a  networking  group  can  help  relieve 
the  loneliness,  as  can  a  deep  discussion  with 
your  spouse.  But  neither  of  these  palliatives 
can  change  a  CSO’s  reaction  to  stress  or  offer 
ways  to  relieve  it. 

Indeed,  CSOs  who  feel  isolated  tend  to 
alienate  those  around  them  who  could  offer 
support.  “No  one  understands  what  I’m  going 
through,  so  there’s  no  use  in  talking  about  it” 
is  a  refrain  that  Lee  Smithson,  a  psychologist 
and  executive  coach  for  consultancy  RHR 
International,  hears  a  lot  from  executives  she 
works  with. 

For  one  of  Smithson’s  clients,  who  requested 
anonymity,  stress  on  the  job  and  stress  at  home 


According  to 
a 1997 study,, 
executives  with 
,  ow  decision 
atitude  saw  their 
risk  of  illness 
increase  anywhere 
from  30  percent 
to  1,700  percent. 


Good  News  for  Type  A  Personalities 


REMEMBER  THAT  BOSS  who  said.  “I  don’t 
get  ulcers,  I  give  them?”  The  old  coot  may  have 
been  on  to  something. 

Scientists  once  believed  that  high-energy, 
aggressive  people-so-called  type  A  personalities — 
were  more  at  risk  for  stress-related  disorders  than 
others.  But  that  has  proven  not  to  be  the  case.  In 
fact,  some  type  A's  enjoy  stress  and  see  it  as  a  pos¬ 
itive.  In  effect,  they  simply  don’t  experience  what 
we  know  as  stress. 

“Competitiveness  does  not  damage  your 
health,”  says  psychologist  Sue  Parkerson  Wisner  of 
the  Duke  University  Medical  Center.  Only  type  A’s 
who  get  angry  or  depressed  have  stress- related 
health  problems,  she  says. 

Type  A’s  who  don’t  turn  the  steam  inward  have 


proven  to  be  mere  like  zebras  than  huntans  in  their 
response  to  stress,  a  famous  analogy  first  posed  by 
stress  researcher  Robert  Sapc-Ssky  in  his  1994  book. 
Why  Zebras  Don't  Get  Ulcers.  When  faced  with  a 
threat,  such  as  a  lion  springing  from  the  bush, 
zebras  have  the  same  fight-or-flight  response  as 
humans.  But  when  it’s  over,  when  their  brothers 
and  sisters  are  now  lunch  and  the  lions  are  settling 
down  for  a  snooze,  zebras  stop  worrying  until  the 
next  time  the  lions  show  up.  So  they  don’t  die  of 
stress. 

Psychologically  healthy  type  A’s  behave  the 
same  way.  When  that  big  meeting  is  over,  they 
leave  their  stress  in  the  conference  room.  They 
don’t  worry  about  the  next  big  meeting  until  the 
lions  wake  up.  -C.K, 


marched  in  lockstep.  “He  was  constantly  hav¬ 
ing  to  bargain  with  his  wife  for  time,  and  he 
canceled  two  vacations  with  her  and  their  chil¬ 
dren,”  Smithson  says.  “His  wife  had  become 
hardened  to  the  whole  situation.”  When  his 
company  merged  with  another,  he  told  his  wife 
that  he  wanted  to  apply  for  a  higher  paying  but 
more  demanding  position  at  the  new  com¬ 
pany.  “She  hit  the  roof,”  says  Smithson.  The 
man’s  wife  wasn’t  the  only  unhappy  one.  The 
new  company  told  him  that  unless  he 
revamped  his  approach  to  work  and  the  way  he 
handled  stress,  he  wouldn't  get  the 
job.  “He  was  functioning  as  the 
consummate  problem-solver,”  says 
Smithson.  But  his  obsession  with 
controlling  his  stress  by  doing  every¬ 
thing  himself  had  alienated  him 
from  his  employees,  who  wished  he 
would  delegate  more  often,  and  from 
his  superiors,  who  could  never  track 
him  down  for  important  meetings. 
And  when  he  did  attend,  he  was  so 
distracted  that  he  usually  sat  in 
silence. 

It  all  came  out  when  the  new 
company’s  management  asked  the 
man  to  submit  to  a  360-degree  per¬ 
formance  review.  He  was  stunned 
with  the  results.  He  was  far  from 
being  appreciated— the  12-hour 
workdays  he  was  putting  in  and  the 
evenings  he  spent  sifting  through 


the  e-mail  that  had  arrived  while  he  was  off 
putting  out  fires  were  viewed  as  a  problem. 
“He  had  never  gotten  that  kind  of  feedback 
before,”  says  Smithson.  “They  said  he  wasn't 
strategic  and  therefore  wasn’t  qualified  for 
the  job.” 

Like  many  hard-charging  professionals, 
this  man  was  in  denial.  He  had  become  with¬ 
drawn.  Ironically,  while  attempting  to  project 
strength,  he  was  actually  advertising  his  weak¬ 
ness.  Alone  in  his  office  cave,  he  had  doomed 
himself  to  become  some  tiger’s  lunch. 

Fortunately,  spurred  by  the  review,  he  and 
Smithson  were  able  to  create  a  plan  for  him  to 
distribute  responsibility  among  his  staff  and 
become  more  involved  in  business  strategy. 
Ultimately,  he  got  the  job  he  coveted. 

And  last  spring,  he  took  his  wife  and  two 
kids  to  Disney  World— along  with  a  cell 
phone.  ■ 

Christopher  Koch,  an  executive  editor  with  CSO’s  sister 
publication,  CIO  magazine,  usually  flees  the  effects  of  stress 
on  his  bike.  You  can  share  your  ideas  on  handling  stress 
with  him  at  ckoch4cio.com. 


How  Do  You  Cope  with  Stress? 


Ever  feel  like  CSO  stands  for  chief  stress  officer?  Tell 
us  what  stresses  you  out  the  most  and  how  you  deal 
with  it  by  reading  TALK  BACK,  CSOonline's  interactive 
column  written  by  Web  Editor  Sandy  Kendall.  Type  the 
DocID  number  (above)  into  the  search  box  at 
www.csoonline.com. 


September  2003  www.csoonline.com  51 


VALUE  RETREAT 

AWARDS  CEREMONY 


FEBRUARY  8 -10,  2004  •  TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT  •  MIAMI/SUNNY  ISLES,  FLORIDA 


Retreat  Moderator:  Peter  Weill 

Director,  Center  for  Information  Systems 
Research,  MIT  Sloan  School  of  Management 

The  Case  Studies 

Peter  Weill  once  again  joins  us  to  present 
new  findings  and  case  studies  from  work 
with  hundreds  of  Global  1000  companies, 
focusing  on  IT  needs  for  different  business 
models.  He  will  also  conduct  a  workshop  on 
IT  governance  with  insights  and  case  studies 
from  MIT  CISR’s  study  on  how  top  financial 
performers  govern  IT  and  the  five  key  deci¬ 
sions— IT  principles,  architecture,  infra¬ 
structure,  applications  needs  and 
investment. 

“The  content  presented  by  Peter  Weill  was 
an  excellent  framework  to  discuss  current 
challenges  with  a  very  interesting 
peer  group.” 

-CHRIS  ACTON,  GLOBAL  IS,  RIO  TINTO  BORAX 

“A  must  for  any  CIO.  Addresses  the  larger 
issues  a  CIO  faces,  without  getting  lost  in 
technical  details." 

-GERHARD  KARBA.  CIO,  HINES  INTERESTS 


The  Enterprise  Value 
Award  Winner  Presentations 

They’re  first  scrutinized  by  CIO  editors,  then 
visited  by  our  Review  Board  members— and 
finally  make  it  through  our  judging  panel  of 
top-notch  CIOs.  Winners  of  this  year's  pres¬ 
tigious  CIO  Enterprise  Value  Award  share 
how  they  delivered  true  value. 

“Excellent  opportunity  to  network  with 
those  who  have  overcome  the  various 
challenges.  Lessons  learned  are  not  the 
usual  academic  fare,  but  the  subtleties  of 
the  cultural  and  technological  minefields.” 

-EVELYN  LOCKETT  WOODS,  EVP/CIO, 
JOINT  COMMISSION  ON  ACCREDITATION  OF 
HEALTHCARE  ORGANIZATIONS 

“The  award  winner  presentations  were 
extremely  valuable  in  terms  of  the  process 
and  ingenuity  insights  laid  out." 

-TOM  GAYLORD,  VP/CIO,  UNIVERSITY  OF  AKRON 


The  Peer  Networking 

From  informative  chats  at  breakfast  and 
lunch  roundtables,  to  the  intensely  interac¬ 
tive  case  study  workgroup  sessions,  to 
relaxed  conversations  during  the  daily  end- 
of-sessions  receptions— we  give  you  more 
opportunities  to  meet  and  learn  from  more 
of  your  peers. 

“The  discussion  and  information  exchange 
with  peers  is  invaluable.” 

-ROBERT  ODENHEIMER,  SVP,  IT  OPERATIONS, 
MAGELLAN  BEHAVIORAL  HEALTH 

“The  premier  conference  for  CIOs.  A  great 
opportunity  for  learning  and  networking." 

-ANGELO  PRIVETERA,  CIO,  HDR,  INC. 


Presented  by 

BRB 

The  Resource  for 
Information  Executives 


Call  800.355.0246  or  visit  us  at  www.cio.com/conferences 


Technologies,  Tools 
and  Tactics 


Ruling  Over  Unruly  Programs 


And  why  theoretical  security  is  theoretically  impossible  By  Simson  Garfinkel 


ROJAN  HORSES.  Keyboard  loggers. 
Viruses.  Bad  insiders.  Bad  outsiders.  Evil¬ 
doers.  Perforated  firewalls.  Corrupt  backups. 
Spam.  A  few  years  ago,  many  security  pro¬ 
fessionals  I  knew  looked  forward  to  the  day 
when  the  majority  of  the  world’s  computer 
security  problems  were  worked  out.  Back 
then,  we  thought  that  improving  security  was 
just  a  question  of  deploying  technology,  pro¬ 
viding  training  and  getting  people  to  follow 
the  appropriate  procedure.  But  a  look  at 
computer  science  theory  proves  otherwise. 

A  fundamental  goal  of  computer  security 
has  been  to  put  some  sort  of  restrictions  on 


program  execution.  For  example,  worms  and 
viruses  wouldn’t  be  a  problem  if  they  didn’t 
damage  our  files,  reformat  our  hard  drives 
and  e-mail  themselves  to  everybody  in  our 
address  books.  If  there  were  just  some  way 
we  could  stop  the  bad  programs  from  doing 
what  we  don’t  want,  without  affecting  the 
execution  of  the  good  programs,  our  problem 
would  be  solved. 

But  to  stop  the  bad  programs,  we’re  going  to 
need  some  way  of  distinguishing  the  bad  from 
the  good.  That  is,  we’re  going  to  need  a  pro¬ 
gram-analyzing  program  that  can  look  at  any 
given  suspect  program  and  determine  if  it  has 


any  hostile  code.  If  it  doesn’t,  then  the  suspect 
application  is  safe  to  run.  Security  is  simple. 

But,  as  it  turns  out,  writing  such  a 
program-analyzing  program  is  theoretically 
impossible. 

The  impossibility  stems  not  from  legal 
issues— such  as  determining  whether  a  pro¬ 
grammer  had  “criminal  intent”— but  from  a 
technical  conundrum.  The  mathematics  of 
computing  make  it  impossible  to  write  soft¬ 
ware  that  can  figure  out  what  other  programs 
can  do,  prior  to  execution. 

To  be  sure,  it  is  possible  to  write  programs 
that  can  examine  simple  programs  and 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


September  2003  www.csoonline.com  53 


' 

Machine  Shop 


determine  what  they  do.  But  there’s  the 
problem:  In  principle,  there  is  no  way  to 
examine  a  program’s  instructions  and 
figure  out  precisely  what  it  does.  That’s 
because  it  is  too  complicated.  In  princi¬ 
ple,  running  the  software  is  the  only  way 
to  discover  what  it  does.  And  once  a  hos¬ 
tile  program  is  run,  it’s  too  late:  The 
damage  has  been  done. 

That’s  why  today’s  antivirus  systems 
don’t  try  to  predict  what  an  infected  pro¬ 
gram  will  do.  Instead,  these  systems  have 
a  list  of  “signatures,”  or  sequences  of 
bytes,  that  have  been  observed  in  existing 
viruses.  If  the  copy  of  Microsoft  Word 
that’s  about  to  be  run  contains  the  same 
copy  of  bytes  that  were  discovered  years 
ago  in  the  Michelangelo  virus,  for  exam¬ 
ple,  then  that  copy  of  Word  is  deemed 
infected  and  is  not  permitted  to  run. 

But  let’s  say  that  your  copy  of  Word  is 
infected  by  a  virus  that’s  never  been  seen 
before— then  you’re  out  of  luck.  You  can 
analyze  the  copy  of  Word  to  see  if  it  has 
instructions  for  formatting  the  computer’s 
hard  drive,  for  example.  But  if  you  can’t 
find  them,  that  still  doesn’t  prove  that  the 
program  won’t  format  your  hard  drive- 
computer  programs  can  modify  them¬ 
selves  when  they  run  and  add  these 
commands  to  themselves.  It’s  this  ability 
of  computer  programs  to  modify  them¬ 
selves  that  makes  their  behavior  mathe¬ 
matically  impossible  to  predict. 

British  mathematician  Alan  Turing 
proved  the  impossibility  of  predicting  pro¬ 
gram  actions  back  in  1936.  Turing  looked 
at  the  simplest  kind  of  hostile  program 
and  proved  that  it  is  impossible  to  tell  in 
advance  if  a  program  will  go  into  an  infi¬ 
nite  loop,  or  stop.  Today  we  call  this  the 
Halting  Problem.  It  is  unsolvable. 

The  more  you  think  about  the  Halting 
Problem,  the  stranger  it  seems.  That’s 
because  every  program  will  eventually 
halt  or  run  forever.  And  since  computers 
are  deterministic  machines  that  do 
exactly  as  they  are  programmed,  it  seems 
that  it  should  be  possible  to  analyze  a 
program  and  determine  in  advance  what 
that  program  will  do  when  it  is  run.  But 
Turing  showed  that  you  can’t— no  matter 
what  kind  of  computer  you  have,  no  mat¬ 
ter  how  fast  it  is,  no  matter  how  much 


storage  the  computer  has,  or  no 
matter  how  long  you  let  your 
computer  program  run.  What  you 
can  do  is  examine  a  given  pro¬ 
gram  and  tell  if  it  is  the  same  as 
other  programs  that  run  forever 
without  stopping.  But  you  can’t 
recognize  new  programs  that  run 
forever. 

It’s  trivial  to  extend  Turing’s 
work  to  any  other  kind  of  com¬ 
puter  security  problem  involving 
hostile  code:  You  can’t  examine  a 
copy  of  Word  and  determine  if  a 
back  door  has  been  placed  in  the 
program  to  surreptitiously  e-mail 
copies  of  your  confidential  docu¬ 
ments  to  Argentina.  And  you  can’t 
prove  that  your  copy  of  Windows 
isn’t  silently  recording  every  pass¬ 
word  that  you  type  for  playback  at 
a  later  time. 

One  favored  approach  lately  to 
“solving”  the  computer  security 
problem  of  desktop  computers  is 
to  gimmick  their  operating  systems  so 
that  they  will  run  only  the  programs  that 
have  been  digitally  signed  by  publishers 
such  as  Microsoft  and  Adobe.  But  Tur¬ 
ing’s  work  tells  us  that  these  digitally 
signed  programs  may  nevertheless  have 
exploitable  security  bugs:  It’s  theoreti¬ 
cally  impossible  to  prove  that  they  don’t. 

Just  about  the  only  way  to  take  back 
computer  security  from  the  morass  that 
Turing  created  is  to  restrict  what  com¬ 
puter  programs  can  do— that  is,  make 
computers  less  general-purpose.  This  was 
one  of  the  fundamental  ideas  behind 
JavaScript;  because  JavaScript  lacked 
commands  for  writing  or  erasing  files  on 
the  user’s  hard  drive,  there  was,  in  theory, 
no  way  for  a  JavaScript  program  to  per¬ 
form  those  malicious  actions. 

But  it  takes  surprisingly  little  power 
and  flexibility  to  tip  the  scales  and  make 
a  program’s  behavior  unpredictable. 
JavaScript’s  ability  to  manipulate  the 
contents  of  a  webpage  after  they’re 
loaded— then  reinterpret  the  page  as  a 
new  program— has  caused  countless 
problems  for  Hotmail,  Yahoo  and  prac¬ 
tically  every  website  that  lets  visitors  post 
raw  HTML. 


Between  the 
Pipes 

Hackers  (well,  the  successful  ones  anyway)  are  cre¬ 
ative  types,  always  looking  for  new  ways  to  get  into 
your  network.  So  it  makes  sense  for  security  tool 
developers  to  strive  for  equal  creativity.  Here’s  a 
handful  of  defense  tools  that  analysts  cite  as  network 
security  innovations. 

ForeScout  Technologies  ( www.forescout.com ) 
offers  an  interesting  twist  on  network  security, 
according  to  Pete  Lindstrom,  director  for  market 
research  company  Spire  Security.  ForeScout’s  Active 
Scout  product  aims  to  trick  would-be  intruders  by 
sending  them  false  information,  including  bogus  IP 
addresses,  e-mail  accounts  or  passwords.  Since  most 
hackers  begin  by  conducting  reconnaissance  work  on 
their  victim  network,  their  first  steps  include  searches 
for  passwords  and  e-mail  accounts  in  order  to  obtain 
access.  Active  Scout  happily  releases  passwords— just 
not  the  real  ones-and  tags  the  requester  of  that 
information.  If  that  hacker  comes  back  to  look  again 
and  uses  the  bogus  password,  network  administrators 
know  they  have  an  intruder,  and  not  just  someone 
who  mistakenly  entered  the  network. 

“If  someone  responds  to  your  bogus  information, 
you  know  that  this  is  unauthorized,  and  then 


54  www.csoonline.com  September  2003 


PHOTO  BY  GETTYONE 


Spalgl  V* 


IT  Training  & 
Certification 


-  .  r 


r  '  -  ■  ■ 


ivisprt  :T:-- 

v  k  v 


Mitnick's  Social  Engineering  In  2  Days 
Wireless  Network  Security  In  4  Days 
Web  Application  Hacking  In  3  Days 
Professional  Hacking  In  5  days 
Computer  Forensics  In  3  Days 


CompTIA  Security+  In  5  Days 
MCSE  Security  In  14  Days 
Virtual  CISSP®  In  3  Days 
Check  Point  In  6  Days 
CCSP®  In  12  Days 
CISSP®  In  7  Days 


Microsoft 


Partner 


iS’TnuSecune 


Authorized  Training  Partner 


ODD  CompTIA 


V  C  EH 

'  K  (hUM  IHikd  Mttbr 

Locations  in:  Ft.  Lauderdale.  FL  |  New  York  Metro  |  Columbus.  OH  |  San  Diego,  CA  |  Washington,  DC  Metro 

8211  W.  BROWARD  BLVD  FORT  LAUDERDALE.  FL  33324  Ph.866-300-2119  -  INTENSE  SCHOOL  nwww.intenseSChool.com 


Machine  Shop 


Turing’s  theorem  isn’t  the  only 
quandary  that  theoretical  computer  sci¬ 
entists  have  thrown  at  security  profes¬ 
sionals.  Another  one  is  the  fundamental 
question  of  whether  computers  can  solve 
problems  that  are  truly  complex— that 
is,  complex  in  a  theoretical  sense— by 
short-circuiting  the  underlying  mathe¬ 
matics  that  make  these  problems  hard. 
Mathematicians  have  worked  on  this 
problem  for  more  than  30  years,  but  so 
far  nobody  knows  the  answer. 

These  hard  problems  are  all  in  a  math¬ 
ematical  family  called  NP,  and  they  share 


Levin,  made  a  simultaneous  discovery: 
If  a  fast  way  is  ever  found  to  solve  a  par¬ 
ticular  kind  of  NP  problem,  a  problem 
that’s  so-called  NP  complete,  then  that 
result  could  be  used  to  solve  every  NP 
problem. 

Some  mathematicians  claim  that  such 
a  result  might  be  the  end  of  cryptography. 
In  fact,  it  might  not.  The  difficulty  of  fac¬ 
toring  large  numbers  is  the  basis  of  the 
RSA  encryption  algorithm.  For  years,  fac¬ 
toring  was  thought  to  be  an  NP  problem, 
but  two  years  ago  some  clever  mathe¬ 
maticians  found  a  way  to  short-circuit 


Just  about  the  only  way  to  take  back 
computer  security  from  the  morass  that 
Alan  Turing  created  is  to  restrict  what 
computer  programs  can  do— that  is,  make 
computers  less  general-purpose. 


a  common  peculiar  property:  The  prob¬ 
lems  are  hard  to  solve,  but  once  you  find 
an  answer  it’s  trivial  to  prove  that  it  is 
the  correct  one.  Code-breaking  is  one  of 
those  problems.  If  the  only  way  you  have 
to  crack  an  encrypted  message  is  by  try¬ 
ing  every  key,  it  might  take  a  hundred 
billion  years  for  you  to  try  them  all  and 
find  the  right  one.  But  once  you  have  the 
right  key,  it  takes  less  than  a  fraction  of  a 
second  to  prove  that  the  key  is  the  correct 
key:  All  you  do  is  decrypt  the  message. 

There  are  many  of  these  NP  problems: 
scheduling  speakers  and  rooms  at  a  con¬ 
ference,  for  example,  or  seating  women  at 
a  dinner  party  so  that  nobody  is  sitting 
next  to  an  ex-boyfriend.  For  every  case, 
the  only  way  we  know  to  solve  these 
problems  is  through  brute-force  search— 
that  is,  you  have  to  try  every  combination 
until  you  find  one  that  works. 

The  strange  thing  about  these  NP 
problems  is  that  mathematicians  have 
never  formally  proven  that  brute-force 
search  is  the  only  attack  that  works:  They 
just  haven’t  found  any  other  way  to  solve 
these  problems.  But  in  1973  two  mathe¬ 
maticians,  Stephen  Cook  and  Leonid 


the  math.  But  as  it  turns  out,  the  short- 
circuit  technique  isn’t  very  fast,  and  the 
security  of  RSA  is  safe— at  least  for  now. 

If  mathematicians  ever  find  a  way  to 
solve  an  NP-complete  problem,  and  it’s 
possible  that  somebody  might,  then  this 
knowledge  could  be  used  to  reverse- 
engineer  practically  every  encryption 
scheme  that’s  ever  been  devised.  Whether 
those  attacks  would  be  practical,  no  one 
knows.  But  never  ignore  the  possibility 
that  all  of  the  science  of  cryptography 
could  suddenly  come  tumbling  down.  Is 
such  a  result  likely?  Of  course  not.  But  it 
is  possible. 

So  the  next  time  you  feel  overwhelmed 
by  the  responsibilities  that  come  with 
being  a  security  officer  or  consultant,  take 
solace  in  the  fact  that  the  problems  you 
are  trying  to  solve  are  fundamentally 
unsolvable.  Given  those  odds,  any 
progress  you  can  make  is  probably 
worthwhile.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshop a  cxo.com. 


[ForeScout]  blocks  the  source,  the  IP  address,"  says 
Lindstrom. 

CounterMalice  is  described  by  purveyor  Silicon 
Defense  ( www.silicondefense.com )  as  a  "worm  con¬ 
tainment  solution.”  CounterMalice  works  by  first 
dividing  a  network  into  various  cells  that  the  software 
can  monitor.  The  software  then  analyzes  network  traf¬ 
fic  between  cells,  searching  for  data  movement  pat¬ 
terns  that  could  indicate  the  spread  of  a  worm.  If  an 
odd  pattern  is  detected,  that  cell  is  blocked  from  com¬ 
municating  with  other  cells,  and  the  worm  is  stopped. 
Lindstrom  says  what's  unusual  about  this  idea  is  that 
rather  than  searching  individual  strings  of  data  for 
specific  worms,  CounterMalice  watches  the  behavior 
of  the  network  traffic  itself. 

Charles  Kolodgy,  research  director  for  security 
products  at  IDC  (a  sister  company  to  CSO’s  pub¬ 
lisher),  says  lately  he  is  seeing  unique  products  from 
companies  with  close  ties  to  the  government,  includ¬ 
ing  Invicta  Networks  ( www.invictanetworks.com ). 
Invicta  was  founded  by  former  National  Security 
Agency  contractor  and  ex-KGB  agent  Victor  Sheymov, 
who  defected  to  the  United  States  in  1980.  Invicta’s 
concept  for  deterring  hackers  involves  changing  the 
protected  network’s  IP  address  as  frequently  as  every 
second.  The  company’s  InvisiLAN  product  works 
via  network  security  cards  installed  in  each  worksta¬ 
tion.  Each  card  is  connected  to  a  central  control  unit 
the  IS  team  can  use  to  monitor  the  switching  of  IP 
addresses. 

“By  hiding  data  and  hiding  IP  addresses,  they 
pretty  much  make  the  hackers  just  see  dark  space,” 
says  Koiodgy,  who  says  that  products  such  as  Invisi¬ 
LAN  that  enforce  security  at  the  desktop  level  are  on 
the  rise. 

Another  innovative  company  with  government 
ties  that  Kolodgy  notes  is  Arxan  Technologies 
(www.arxan.com),  whose  board  members  include 
former  directors  of  the  Defense  Advanced  Research 
Projects  Agency  and  the  NSA.  Arxan  Technologies’ 
approach  is  a  program  called  Enforced  that  embeds 
small  security  units  (think  mini-programs  running 
security  procedures)  within  an  application’s  binary 
code.  These  units  are  programmed  to  protect  the 
integrity  of  the  software  in  use  by  reporting  any 
tampering,  and  also  to  repair  damages  through 
self-healing  processes.  -Julie  Hanson 


56  www.csoonline.com  September  2003 


Well,  I  was  hoping  to  wear  this  new 
suede  jacket  I  just  bought,  so  I  m 

lust  kind  of  keeping  my  hogers 

crossed  that  it  doesn't  rain  today. 


IT  guy 
has  time 

to  chat 

Greg  Brown,  33,  seen 
talking  freely  to  co-workers 

after  deploying 
Nokia  Message  Protector 

“t  used  to  spend  most  of  mV  day 

different  security  P™*  ,  beami„g  Greg  told 

rejection  for  our  emaj^  ^  ^  ^  ,T  ind„stry 

Features  seminar.  “Trying  to  plug  h.« 

Automatic  ^"-scan- 

Signature  ^  •tcchnologies,  trying  to  keep 

Updates  tbem  updated  a  0 

F  K  c  Rut  it  changed  with  the  imple- 

kept  me  in  the  tranche  .  (  Now  that  we 

. .  M  Nokia  Message  Protecro  _ M(in 


available 


m 


w  f 


ii 


m 


M" 


if?# 


m 


wm 


■ 

m 


...  ,an  focus  on  other  thil 
sure  him,  and  our  desMop: 

Trying  to  plug  holes 

gateways  looking  aj^^^  updated  I 

no'og'es,.  try.' ^trenches.  Butitch 


Introducing  Nokia  Message  Protector. 


Nokia  has  created  a  complete  purpose-built 
appliance  that  integrates  innovative  security 
technologies  including  virus  protection  from 
Trend  Micro™,  with  unique  Nokia  filtering 
software  —  known  as  statistical  protection  —  to 
deliver  new  levels  of  enterprise  email  security. 
Nokia  Message  Protector  deploys  in  minutes  and 
provides  secure,  automatic  updates  to  optimize 


email  system  integrity.  With  the  ability  to 
process  up  to  120,000  emails  per  hour,  and  the 
intelligence  to  control  the  content  that  enters, 
flows  through  and  leaves  your  network,  you  can 
spend  more  time  doing  things  that  matter  — 
like  getting  to  know  your  colleagues! 

If  you’d  like  more  time  to  chat,  visit 
www.nokia.com/get_a_life/americas 


IMOKIA 

Connecting  People 


I  8 1 


t  ££ 


CSO  Undercover 


Scare  and  Scare  Alike 


DHS,  the  FBI,  other  government  agencies  and  America’s 
CSOs. 

Before  writing  this  piece,  I  searched  for  information  to 
counter  my  own  concerns.  I  found  a  quote  in  Government 
Executive  magazine  from  Alfonso  Martinez-Fonts  Jr., 
the  assistant  secretary  for  Private  Sector  Coordination  at 
the  DHS.  Seems  he’s  been  “making  the  rounds  in  Wash¬ 
ington,”  meeting  with  the  U.S.  Chamber  of  Commerce, 
the  National  Association  of  Manufacturers,  the  Council 
on  Competitiveness  and  The  Business  Roundtable.  I’m 
glad  Alfonso  is  venturing  so  far  from  the  office;  clearly, 
he’ll  get  the  real  poop  from  that  proximity. 

He’s  talking  to  the  same  organizations  that  have  recently 
reported  no  appreciable  increase  in  security  funding  due 
to  terrorism— or  other  concerns,  for  that  matter.  And 
Martinez-Fonts’  conclusion  from  these  meetings?  “Dif¬ 
ferences  between  the  department  and  the  business 
community  can  be  reconciled.”  Boy,  am  I  relieved. 


Who  Do  You  Trust? 

I’m  not  one  to  mince  words.  The  DHS  and  our  national 
security  apparatus  have— or  ought  to  have— the  ability  to 
share  with  the  private  sector  information  on  emerging 
and  immediate  threats.  I  know  that  it’s  early  in  the  life  of 

the  DHS,  and  I  recognize  the  chal¬ 
lenge  Secretary  Tom  Ridge  has  in 
consolidating  so  many  govern¬ 
ment  agencies  to  focus  on  domes¬ 
tic  terrorism.  But  aside  from  some 
high-level  engagement  of  selected 
sector  ISACs  and  the  newly 
announced  initiative  targeting 
money  laundering,  I  haven’t  seen 
any  effort  to  engage  CSOs  or  to 
address  the  risks  confronting  the 
private  sector.  The  DHS’s  outreach 
has  been  to  state  and  local  gov¬ 
ernments  that  are  screaming 
about  the  alert  process  and  result¬ 
ing  overtime  costs  of  their  police 
departments. 

I  don’t  know  exactly  what  a 
multisector  information-sharing 
network  with  CSOs  and  the  DHS 
would  look  like,  but  I  know  that 
the  homeland  security  mission 
begs  for  a  new  paradigm  of 
information-sharing.  Of  course, 
legal  impediments  abound  for 
sharing  information  at  a  level  of 
detail  that  is  truly  actionable.  The 
other  real  constraint  in  sharing 
information  is  trust. 


The  Department  of  Homeland  Security  has  been  around  for 
more  than  100  days  now,  and  I’m  still  wondering  where  my 
organization  will  fit  into  its  plan  By  Anonymous 


K,  SO  WE’VE  ALL  ADJUSTED  to  the  color  alerts  put  out 
by  the  government.  But  what  do  they  really  mean  to  us?  And,  more  to  the  point, 
what  do  we  really  mean  to  them? 

By  “them,”  of  course,  I’m  referring  to  the  new  Department  of  Homeland  Security. 
I  don’t  think  the  guys  in  Washington  understand  that  CSOs  have  a  serious  place  at 
their  table.  As  owners  of  85  percent  of  the  critical  infrastructure  of  this  country,  the 
private  sector  is  an  important  constituency  for  the  DHS.  When  it  comes  to  cyber¬ 
space,  product  diversion,  financial  crime  and  a  host  of  other  domestic  threats,  the 
private  sector  operates  the  safeguards.  It  is  no  longer  feasible— or  preferable— for  the 
public  sector  to  single-handedly  control  the  protective  apparatus  of  this  nation. 

However,  the  legislation  that  created  the  DHS  never  clearly  identified  the  private 
sector’s  role  in  homeland  protection. 

Nor  did  it  balance  the  strengths, 
weaknesses,  needs  and  resources  of 
government  and  business  in  protect¬ 
ing  critical  infrastructures.  It  merely 
acknowledged  the  need  to  share 
information  in  unspecified  ways  with 
the  private  sector  as  well  as  with  state 
and  local  governments. 

I  must  say,  I’m  disappointed.  I 
really  thought  our  government  was 
going  to  get  busy  developing  a  new 
way  to  engage  the  private  sector— 
and  CSOs  as  the  accountable  parties 
in  such  a  partnership.  The  post-9/ll 
months  have  certainly  demonstrated 
the  private  sector’s  need  for  more 
accurate  and  actionable  information 
from  the  government  so  we  can  make 
more  focused  security  decisions.  And 
CSOs  may  have  information  critical 
to  the  public  sector’s  timely  aware¬ 
ness  of  threat  and  risk,  precisely 
because  we  are  on  the  front  lines. 

CSOs  have  been  busting  their 
butts  to  get  someone  in  the  DHS  to 
recognize  that  they  exist  as  a  con¬ 
stituency.  It’s  long  past  time  for  a 
meaningful  dialogue  among  the 


58  www.csoonline.com  September  2003 


ILLUSTRATION  BY  DAVID  HOLLENBACH 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you  manage 
your  organization’s  security  posture. 


neuSECURE::;  threat  management  process 


Firewalls 

IDS 

1 

Routers 

Op  Systems 

l 

Applications 

Others 

Centralize  Analyze 

Correlate  Prioritize 


Report 

Rememb 


neuSECURE  is  a  security  management  and 
incident  response  platform  for  log  aggregation, 
event  correlation,  threat  analysis,  threat  response 
and  forensic  investigation 
of  security  event  data 
from  firewalls,  IDS’,  hosts 
and  routers.  neuSECURE 
facilitates  real-time 

attack  detection,  investigation  and  response  and 
generates  a  wide  range  of  reporting  options  for 
operations,  management  and  audit  compliance. 


■ 

Iff 


For  a  free  practitioner’s  guide  by  industry  expert 
Ken  Pfeil  called  “ Best  Practices  for  Incident 
Response”,  call  1-888-599-8297  or  visit 
www.guarded.net/csomag_bestpractices.html. 


94sB$t:*S 

_ _ 


GuardedNet 


guarded.net 


CSO  Undercover 


However,  the  government  says  it  hesitates 
to  hand  out  information  because  it  doesn’t 
know  the  CSOs.  What  a  bunch  of  hooey!  They 
owned  our  clearances.  Still,  the  issue  of  non- 
U.S.  ownership  is  a  complicated  one,  and  the 
question  of  how  to  protect  the  information 
granted  to  a  “cleared”  corporate  individual  is 
a  fair  one.  Look  to  the  defense  establishment 
for  that  answer.  Big  companies  with  the  high¬ 
est  classifications  of  sensitive  information  are 
sufficiently  compartmentalized,  while  non- 
involved  company  business  goes  on  outside 
the  cone  of  silence. 

Perhaps  a  bigger  issue  is  in  sharing  infor¬ 
mation  that  could  be  used  by  competitors  or 
headline-seeking  U.S.  attorneys.  While  my 
experience  in  sharing  sensitive  information 
with  my  competitor  counterparts  has  been 
positive,  I  recognize  that  we  don’t  want  to 
open  our  kimonos  as  an  unconscious  act. 

For  those  who  say  it  can’t  be  done,  I  point 
to  the  State  Department  Overseas  Security 
Advisory  Council  as  a  model  for  a  public/pri¬ 
vate  partnership  that  works  unbelievably  well 
and  with  a  spirit  of  collaboration.  We  also 
occasionally— I  repeat,  occasionally— see  a 
concerted  effort  at  proactive  sharing  by 
enlightened  Agents-in-Charge  of  the  FBI  and 
Secret  Service  field  offices.  The  DHS  needs  to 
learn  from  those  models  and  establish  proto¬ 
cols  for  real,  substantive  information-sharing. 

Invitation  to  Dance,  Etcetera 

So  here  I  am  in  a  homeland  security  state  of 
mind,  when  I  get  an  invitation  to  be  granted 
immediate  certification  in  homeland  security 
(limited  time  only!)  if  I  have  significant  mil¬ 
itary,  law  enforcement  or  other  experience 
that  interfaces  with  homeland  security. 
They’ll  automatically  give  me  100  points 
toward  a  Level  I  Certification  in  homeland 
security  and  provide  an  easy-to-follow  ques¬ 
tionnaire  to  tally  up  my  experience. 

I  start  with  my  military  experience:  30 
points  if  I  was  a  captain,  60  if  I  was  a  colonel, 
and  75  if  I  was  a  general.  No,  no  and  no.  I  get 
credit  for  experience  with  explosives  ordi¬ 
nance  disposal,  “etcetera.”  Unfortunately,  I 
was  just  a  bohunk  GI.  On  this  scorecard, 
run-of-the-mill  soldier  types  get  nada.  I 
knew  I  should  have  stayed  in. 

The  questionnaire  also  gives  credit  for  law 
enforcement  experience,  so  I  pick  up  a  few 


points  for  time  spent  too  many  years  ago. 

Then  it  reviews  private  security  experi¬ 
ence.  Yup,  a  decade  of  CSO’ing  along  with 
more  than  20  years  in  homeland-related 
experience.  We’re  gaining  on  it  now. 

But  with  medical  and  health  profession 
experience,  I  get  nuthin’.  I  can  also  consider 
other  homeland  experience  such  as  psychol¬ 
ogy  (huh?),  treaty  inspection,  accounting, 


experience  makes  for  an  effective  CSO.  Don’t 
get  me  wrong,  I  did  my  time  and  am  blessed 
with  knowing  a  great  many  fellow  CSOs  who 
come  from  law  enforcement,  and  they  have 
done  very  well  within  their  corporations.  But 
it  is  also  true  that  client  businesses  often 
think  of  the  function  as  the  corporate  cops 
versus  an  integrated  element  of  business 
process.  I  guess  I  understand  the  CISOs  who 


The  DHS  and  our  national  security 
apparatus  have— or  ought  to  have— the  ability 
to  share  with  the  private  sector  information 
on  emerging  and  immediate  threats. 


cybersecurity,  EMT,  transportation  and,  of 
course,  good  old  etcetera. 

In  the  final  stretch,  we  round  out  the  exer¬ 
cise  with  education,  knowledge  (I’m  sure  I’ve 
got  some  of  that  somewhere)  and  an  oppor¬ 
tunity  to  make  a  plea  for  skills  they  may  have 
missed,  such  as  (you  guessed  it)  etcetera. 
Pray  with  me. 

All  told,  I  amass  475  points.  Holy  certifi¬ 
cate!  I  can  be  granted  immediate  certification 
in  homeland  security!  Wait  a  minute.  What’s 
this?  I’ve  got  to  join  an  association  that  I’ve 
never  heard  of  and  plunk  down  $480  for  a 
membership  fee  and  my  certificate.  For  that, 
I  get  a  subscription,  networking  opportuni¬ 
ties,  a  referral  service  and  the  opportunity  to 
attend  conferences  (sponsored  by  none  other 
than  the  guys  who  have  granted  me  this  new 
certification)  and  hear  from  acclaimed  folks 
who  have  no  apparent  relationship  to  the 
practical  problems  I  face  on  a  daily  basis. 
Etcetera.  Guess  I’ll  pass  on  this  one. 

These  grandfathered  “certifications”  really 
stick  in  my  craw.  But  it’s  more  the  gall  to 
capitalize  on  this  whole  homeland  security 
thing  that  really  offends. 

The  other  thing  that  bothers  me  about 
this  homeland  security  certification  process 
is  what  it  says  about  the  sponsoring  organi¬ 
zation’s  perceptions  of  security  as  a  profes¬ 
sion.  Look  at  the  emphasis  on  prior  military 
and  law  enforcement  for  accreditation. 
Human  resources  and  headhunters  fall  prey 
to  this  idea— that  this  type  of  public-sector 


see  themselves  as  more  business-process- 
oriented  than  the  ex-fed  who  is  perfectly  sat¬ 
isfied  to  limit  his  practice  to  investigations  or 
executive  protection.  While  corporate  anxi¬ 
ety  has  clearly  waned,  a  sustained  concern  for 
domestic  terrorist  threats  may  reinforce 
these  backgrounds  as  primary  hiring  criteria. 

But  I  seriously  question  if  this  is  the  future. 
Today’s  risk  environment  is  driving  expecta¬ 
tions  in  many  companies  and  will  do  so  in 
others  as  we  look  ahead.  A  cursory  review  of 
risk  management  literature  of  just  a  few  years 
ago  fails  to  find  any  real  concern  for  terror¬ 
ism,  reputational  risk  or  other  security  risks. 
Look  at  what  cybercrime,  9/1 1  and  Enron 
have  done  to  your  risk  manager’s  vocabulary. 
A  dark  side  to  that  trend  is  the  soaring  cost  of 
risk-related  insurance.  The  board  of  direc¬ 
tors  is  focused  more  than  ever  on  the  proac¬ 
tive  protection  of  the  technical  environment, 
business  continuity  and  corporate  ethics, 
issues  they  see  as  far  more  threatening  to 
their  survivability  than  terrorism. 

Sure,  my  nose  is  bent  out  of  shape  a  bit 
because  security  is  now  a  big  deal  in  Wash¬ 
ington.  And  we’ve  been  out  here  protecting 
our  part  of  the  homeland  since  Tom  Ridge 
was  an  assistant  DA.  Frankly,  if  he  can  get  all 
those  agencies  he  now  owns  to  talk  to  one 
another,  I  guess  I  shouldn’t  be  so  damn  puffed 
up  about  what  info  I  have  that  he  could  use.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  For 
reader  feedback,  e-mail  us  at  csoundercover  ^cxo.com. 


60  www.csoonline.com  September  2003 


Strong  Authentication 


Strong  Authentication 

Web  Access  Control 


Affordable  Strong  e-Security 


More  e-Security 
for  Less  Money 

Pay  2/3  less  for  strong  (two-factor)  authentication 
Use  the  same  A-Key™  for  an  optional  suite  of  strong 
e-security 


File/Folder/HD  Encryption 
Secure  File  Exchange 
Digital  Cert  Storage 


You  get  strong  authentication  more  versatile  than  that  provided  by 
the  industry  leader,  for  1/3  the  price.*  Plus,  you  can  use  the  same 
A-Key  token  for:  web  access  control,  128-Bit  AES  encryption  for 
files/hard  disk/folders,  secure  file  exchange,  and  storage  for  digital 
certificates.  You  save  even  further  through  ease  of  deployment  and 
management. 


*  Price  comparison  and  token  prices  are  approximated  based  on  average  per  token  retail  price  of  RSA  SecurlD  tokens  (in  25  pack  of  5 
year  tokens)  randomly  surveyed  from  internet  retailers  on  May  13,  2003,  and  the  average  per  token  retail  price  of  Authenex  A-Key  tokens 
(in  25  pack  of  tokens)  as  of  May  13,  2003.  Prices  are  for  tokens  only  and  do  not  include  related  software.  Prices  may  be  subject  to 
change  without  notice. 


Get  your  FREE  A-Key  today** 

on  the  web  at  www.authenex.com 
or  call  us  at  1 .877.AUTHENEX 


TM 


Affordable  Strong  e-Security 


Microsoft 

CERTIFIED 

Partner 


**  Certain  terms  and  conditions  may  apply. 


©  2003,  Authenex,  Inc.  All  Rights  Reserved.  Authenex,  A-Key  and  associated 
logos  are  trademarks  of  Authenex,  Inc.  All  other  registered  and  unregistered 
trademarks  in  this  document  are  the  sole  property  of  their  respective  owners. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Sales  and 
Services 

CSQ  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  201  634-2331 
Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Managers  John  Danielowich, 

Amy  Greenieaf 

Graphic  Designer  Chris  Brown 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 

Lisa  Stevenson 


Executive  Programs 

EP  Senior  Vice  President 

Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  Amy  Turell 
Senior  Customer  Service  Coordinator 

Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O’Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints,  please  contact 
RSiCopyright  at  651  582-3800  or  via  e-mail 
at  csoreprints@rsicopyright.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


Company  Index 

Aelita  Software  Corp . 36 

Aeneas  Internet  and  Telephone . 13 

Alltel  Corp . 36 

Ambersail  Ltd . 36 

American  International  Group 

eBusiness  Risk  Solutions  . 13 

APL  Ltd . 28 

Arxan  Technologies  Inc . 53 

Baker  &  McKenzie . 28 

Blank  Rome  LLP  . 36 

BP  America  . 28 

BT  Group  PLC  . 36 

Conqwest  Inc . 36 

Cooper  Wellness  Program . 46 

Counterpane  Internet  Security  Inc . 42 

DaimlerChrysler  AG  . 28 

DHL  Danzas  Air  &  Ocean  . 28 

Discovery  Communications  Inc . 36 

Entrust  Technologies  Inc . 13 

Ford  Motor  Co . 28 

ForeScout  Technologies . 53 

Gartner  Inc . 13 

General  Motors  Corp . 28 

Guardent  Inc . 13 

Guess  Inc . 13 

HR.com . 36 

Intel  Corp . 24 

International  Data  Corp . 53 

Invicta  Networks  Inc . 53 

Kimberly-Clark  Corp . 28 

Kroll  OnTrack,  Inc . 13 

LexisNexis . 13 

LVA  Corporate  Communications 

Consultants  Inc . 36 

Marsh  Inc . 13 

Motorola  Inc . 28 

Netegrity  Inc . 36 

Novell  Inc . 36 

Pinkerton  Consulting  & 

Investigations  Inc . 28 

Port  Authority  of  New  York  and 

New  Jersey . 28 

Port  of  Long  Beach . 28 

Port  of  Los  Angeles . 28 

Port  of  Seattle  . 28 

Port  of  Tacoma  . 28 

Priceline.com  Inc . 13 

Professional  Renewal  Center . 46 

Rainbow  Technologies  . 36 

RHR  International  Co . 46 

Sara  Lee  Corp . 28 

Siemens  AG . 36 

Silicon  Defense  . 53 

Sony  Electronics  Inc . 28 

Spire  Security  LLC  . 53 

Symantec  Corp . 13 

Target  Corp . 28 

Unisa  America  Inc . 46 

US  HomeGuard  . 13 

Advertiser  Index 

ADT . 26 

Anixter  Inc . 9 

Authenex  Inc . 61 

Check  Point  Software  . 19 

Cisco  Systems  Inc . 2 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 52,  63 

GuardedNet . 59 

Intense  School . 55 

Internet  Security  Systems  . 7 


(ISC)2  Inc . 21 

Lancope  Inc . C3 

LG  Electronics  U.S.A.,  Inc., 

Iris  Technology  Division  . 12 

Lumigent  Technologies  Inc . 25 

NEC  Solutions  Inc . 17 

NetlQ  Corp . 35 

Nokia . 57 

Qualys  Inc . 11 

Robert  Half  Technology  . 5 

SecurityGlobal.net . 23 

Sharp  Electronics  Corp . 40,  41 

Symantec  Corp . C2 

Tripwire  Inc . 15 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Paid 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone 
508  935-4785.  E-mail  aburrell@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem.  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


62  www.csoonline.com  September  2003 


WHERE 

JW  Marriott  Desert  Ridge 
Resort  &  Spa 
Phoenix,  AZ 


WHEN  TO  APPLY 

November  2-4,  2003  www.cio.com/conferences 

or  800.366.0246 


CIO  1 04 

Issues  ►  Ideas  ►  Impact 


Annual  Meeting 


Conference  Moderator 

:;f  I  Jonathan  zittrain 

1/  SU  I  Co-Director  of  the  Berkman  Center  for 
Internet  &  Society  and  Professor  at 
Harvard  Law  School 

The  Economy 

What’s  the  outlook?  What  domestic  and  foreign 
policies  are  helping  or  hurting?  And  what  about 
the  hard-hit  tech  sector? 

Jobs  &  IT  People 

What  happens  when  al I  the  baby  boomers  start 
retiring?  Does  the  younger  generation  really  look 
at  work  differently?  Why  is  there  so  little  diversity 
in  the  IT  ranks?  Is  offshore  outsourcing  leading  to 
the  extinction  of  most  domestic  IT  jobs?  Are  our 
schools  adequately  preparing  the  next  generation 
of  IT  and  business  workers? 

Law  &  Society 


Technology 

How  worried  should  you  be  about  vendor  consoli¬ 
dation?  What  are  the  major  cross-industry  busi¬ 
ness  concerns— and  what  solutions/initiatives  are 
getting  funded  in  the  near  term?  Should  you  fear 
the  RFIDs  in  your  future?  What  emerging  tech¬ 
nologies  are  venture  capitalists  betting  their 
money  on  now— and  why? 

Future  of  IT  (&  the  CIO) 

For  many  years,  CIOs  have  been  working  hard  to 
secure  a  place  at  the  top  management  table.  Now 
some  business  and  industry  gurus  say  IT  is  no 
longer  strategic:  it’s  just  becoming  a  commodity 
and  can’t  give  a  competitive  advantage.  Are  they 
right?  Should  CIOs  be  worried? 

And  we’ll  give  you  plenty  of  networking  opportunities,  starting 
with  the  CIO  Golf  Tournament  on  Sunday  morning,  receptions, 
special  small  working  groups  and  breakouts,  mealtimes, 
discussion  roundtables,  and  evening  hospitalities. 


Sponsored  by 


KEANE 


Satyam 


What  Business  Demands 


D^AVVIS 

The  Network  that  Powers  wall  Street - 


How  are  CIOs  coping  with  the  Patriot  Acts, 
Sarbanes-Oxley,  HIPAA,  and  other  legal  man¬ 
dates?  What  pending  legislation  is  bound  to 
give  you  headaches  if  it  passes  into  law?  How 
much  security  and  privacy  is  enough?  Is  all  the 
talk  about  ethics  just  that?  Social  responsibility: 
can  business  do  well  by  also  doing  good 
—and  do  your  customers  care? 


Golf 

Sun 


h . 

Jd  of 


-A 


Presented  by 


The  Resource  for 
Information  Executives 

\ 

\ 


Odd  Jobs 


S  s  x  F 


I  E  D  s 


September  l>  2003 


iepreneurial 

ITVJP  in  corporate  espi- 
e/lP  theft  looking  for  can¬ 
es  who  can  deter/perform 
Eve  on  growing  the  busi¬ 
es  with  possible  synergies 

veen  functions.  Waste  man 
ment  experience  a  plus.  Call 

iy.  He’ll  take  care  of  you. 

1E  department  OF 
jmeland  SECURITY 

:EOS  YOU!  Unlike  the  private 

"dor,  we’re  hiring.  Available 


agency  in  low-cost  sunbelt .c 

seeks  all-around  busybody  to  fil¬ 
ter  spam  and  keep  an  eye  on 
employee  Internet  and  e-rM 
usage  Discretion  a  plus.  Hign 

SarrassmentthresW  and 

an  ability  to  spot  profanity  in 

Spanish  Greek  and  Portuguese 

are  musts.  Benefits  include  air- 
conning,  access  to do*  low 

low  mortgage  rates  and  Mmple 

packs  of  all-natural  VIA  RA  an 

PAX*L.  No  background  checks. 


inflict  Intervention  Spe- 

Vyill  work  with  all  u 
ng  agencies,  often  all  at 

Deputy  Chief  of  the 
nym  Creation  and  Enforce- 
Panel  for  the  Information 

Irance  and  Information  Pro- 
ion  Offices  of  the  National 

er  Security  Division  (DG- 
p-.IAIP/NCSD). 

3.  Bureaucrat.  Pay  for  all  lobs 

)Ve  poverty  line! 


EXPERIENCE  MVS!  I  am  the 

lormer  CSO  ol  nine  major  com 
panies,  all  ol  which  su''"'s 
maior  security  disasters. 
Recently,  I  decided  to  turn  my 

wealth  ol  experience  into  a  P 

fessional  consulting  and  s  rwce 

company.  Believe  me.  I  know 
how  these  things  go  down  by 
now  Services  include:  effective 

blaming,  war  room  setup,  e- 

down  and  re-setup,  sharehold 

meeting  crisis  intervention.  Paid 
by  the  catastrophe. 


YOU'LL  LOOK  LIKE  A 
HERO!!'.  Script  Kiddies 
looking  to  get  into ^ 

!n  J rue  system,  the 
‘  !nd  the  intended 

ST P^tSTat8  "a 

tirne^that’s  convenient  for 
'ou  we  also  preprovrde 

addresses': solhat^oo 
Prefer  to  do  our  time  co 

pr  p  cd  in  a  rninimum- 
iocated  m  a  f  anility 
security  federal  facility, 

school. 


WE'RE  PRETENOINO  to  he 

iookingforanewCSOino-de^ 

scare  our  incumbent  CSO  into 

actually  getting  ^  and 
doing  something  useful.  Sue 
Sul  candidates  should  be 
able  to  feign  looking  lor  a  dew 
CSO  position.  «in»*s?  S. 
tend  to  relocate  Ra'e  8 
Durham  area  also  Eoodjaw 

negotiations  will  really  sell  it.  so 

bring  your  bargaining  chips. 
Respond  in  conhdence  to.  J- 
BWir.  Director  ol  Corporate 
Ethics. 


YO.  Divorced  male  WASP  non-^ 
smoker  seeks  sysadmin  named 
Scrappy- Cal'  me. 


TED:  Chief  Security 
er  for  global  manu¬ 
ring  company  looking 

•ok  down  ass?tsAen 
-  they  haven  t  taken 
'  and  perfom 
ilovee  terminations  (in 

S-rA,0?he 

[hder  pantsCnd  heavy 
!  chain).  Hire  date. 

mediately-  Pay- 
>r  you  want.  Most  look 
macing.  Bouncers,  ex 
0  wrestlers  get  specia 
tention.  Please  see  our 
ro  Bob.  currently  cow¬ 
ing  under  his  desk. 

lush  \N/ prurient  inter- 

STS?  Stultifying  municipal 


Seeking  staff  in  Redmond. 
Wash,  for  new  Trustworthy 
Computing  Portal-  Openings 

mC  windows  developers  who 

can  make  site  unhackable  using 

Microsoft  development  tools 

(pay  tor  either  one  of  you  starts 

in  seven  figures) 

Editorial  Director  (reports  to 

our  PR  agency) 

Linux  developers,  just 

because  we  don't  like  to  let  you 

out  of  our  sight 

Free  Xbox  for  the  first  200 

snarky  twentysomething  foos 

ba»-ptayiog.sPortsCc.n,e'ftt 
balls  who  apply  and  sign 

Fealty  Oath. 


DEPENDS  v.  HUGG1ES! 

Nationwide  mortuary  chmn 
seeks  mature  professions 
whose  brushes  with  breaches 

are  the  product  of  seasoning,  not 

inexperience.  Youth  is  wasted  on 

the  living,  and  we’ve i  about had, 
with  teenage  hackers  makmg 
tired  iokes  about  how  everyone 
hele  is  “such  a  stiff”  and  “prob- 

ing  lor  back  doors."  So  it  you  re 

areal  grownup  who  doesn 

(o,  sneer  at)  the  reaper,  we  re 

looking  for  a  CISO  who  can  help 

keep  state  regulators  from  find 

ing  out  how  much  we  mark  up 
the  caskets. 


Guard"  looking  for  recruits 
tadfuzzy  Katshere.  We’re 

force  to  scare'l^eople  away 

Srsrs"jg 

fessSS? 

?hPePWaArDepartment. 


mP-LEVEL  MAHOGANY- 

MW  EXECUTIVE  POSITION. 

Fortune  13,000  firm  needs  polrt 

(call,  astute  CISO  to  report  'o 
board  ol  directors.  MBA  lerrel 
business  acumen,  superlati 

communication  skills,  knowledge 

of  leading-edge  risk  measure 
ment  and  Monte  Carlo  Simula 
lion,  familiarity  with  all  aspects 
of  legal  system,  and  intonate 
understanding  otevolwngDHS 
structure  and  regulatory  rel 
tionships.  Principal  du rty «j >  6° 
hours/week  of  firewall  mainte 

nance. 


$ 


5 


■ 

1 


64  www.csoonline.com  September  2003 


BRIDGING  THE  GAP 

BETWEEN  SECURITY  AND  NETWORK  OPERATIONS 


. 


K$rv;$r-..s 


mmmmm 


'  Fiiifj'Jni  f/li j'j'jfifiyuri'l  i  lyrvy'jr!'  Davids 


WATCH 

By  Lancope 


Security  Through  Network  Intelligence™ 

Discover  how  StealthWatch™  by  Lancope,  the  next-generation  network  security  solution,  delivers 
behavior-based  intrusion  detection,  policy  enforcement  and  insightful  network  intelligence.  With 
integrated  visibility  across  network  security,  traffic  characteristics  and  host-level  activity, 
StealthWatch  provides  unparalleled  network  protection  and  optimization.  Download  the  white 
paper  ‘How  StealthWatch  Bridges  the  Gap’  from  www.lancope.com/whitepaper/cso. 


^  Lancope  A 


StealthWatch  and  Lancope  are  registered  trademarks  of  Lancope.  Inc. 
2003  Lancope,  Inc.  All  rights  reserved. 


BETTER  MANAGEMENT  DOES. 

The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as  a 
whole.  That's  exactly  what  eTrust,M  lets  you  do.  In  fact,  our  eTrusr  Security  Command  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal 
and  external  threats  before  they  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 


eTrust,M 


ACCESS  •  THREAT  •  IDENTITY 

SECURITY  MANAGEMENT  SOFTV  ^RE 


Computer  Associates® 


•£>2003  Computer  Associates  International  Inc  (CA)  All  rights  reserved. 


